Facebook flaw allowed unauthorised users to delete any photo

They moved fast, they broke things.

Graham Cluley
Graham Cluley
@[email protected]

Facebook flaw enabled unauthorised users to delete any photo

“Move fast and break things” used to be the mantra of Facebook’s developers, emphasising speed of rolling out new features rather than necessarily caring about how well they may have been implemented.

They may not promote that motto quite so heavily these days, but it’s clearly still an issue that innovation may sometimes be considered more important than security and privacy.

For instance, a security researcher found a way of deleting *any* photo on Facebook after the social network rolled out a new polling feature.

Sign up to our free newsletter.
Security news, advice, and tips.

As Eduard Kovacs at Security Week reports:

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

This kind of boo-boo suggests a more serious permissions-based problem with Facebook. You may be able to add any image that you can find on Facebook (“read access”) but there’s no way that that should translate into meaning that you can also command Facebook to delete the image (“write access”).

Darabi has won a $10,000 bug bounty for his discovery, and Facebook says that it patched the security hole earlier this month.

Hmm. Actually it’s kind of a shame that the hole has been fixed.

I can imagine it would be a handy way to force the take down of distressing images that others have posted of you on the network, either because they tagged you in pictures that made you look fat or because they were intimate photos being shared by a vengeful ex-partner.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.