Facebook flaw allowed unauthorised users to delete any photo

They moved fast, they broke things.

Graham Cluley
Graham Cluley
@[email protected]

Facebook flaw enabled unauthorised users to delete any photo

“Move fast and break things” used to be the mantra of Facebook’s developers, emphasising speed of rolling out new features rather than necessarily caring about how well they may have been implemented.

They may not promote that motto quite so heavily these days, but it’s clearly still an issue that innovation may sometimes be considered more important than security and privacy.

For instance, a security researcher found a way of deleting *any* photo on Facebook after the social network rolled out a new polling feature.

Sign up to our free newsletter.
Security news, advice, and tips.

As Eduard Kovacs at Security Week reports:

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

This kind of boo-boo suggests a more serious permissions-based problem with Facebook. You may be able to add any image that you can find on Facebook (“read access”) but there’s no way that that should translate into meaning that you can also command Facebook to delete the image (“write access”).

Darabi has won a $10,000 bug bounty for his discovery, and Facebook says that it patched the security hole earlier this month.

Hmm. Actually it’s kind of a shame that the hole has been fixed.

I can imagine it would be a handy way to force the take down of distressing images that others have posted of you on the network, either because they tagged you in pictures that made you look fat or because they were intimate photos being shared by a vengeful ex-partner.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.