As reported by Security Week, the flaw was identified by Iranian security researcher Pouya Darobi, who was taking a look at a new Facebook polling feature and discovered a simple method for deleting any image or animation posted on Facebook. Thanks to
At the heart of the program was a new polling feature that Facebook rolled out at the beginning of November. The feature allows users to create polls and add pictures and GIF animations. The poll creation process generates code that includes the unique image identification number for each picture and animation that is included with the poll.
If the poll post was subsequently deleted, then the images were deleted as well. The problem was caused by the ability to replace the image ID in the code with that of any other image on Facebook, including images owned by other users. Deleting the post deleted those images as well.
This is not the first bug that allowed users to delete Facebook materials. Other bugs have been discovered by researchers, like Darabi, that allowed the deletion of comments, videos, and photos. Like this bug, the method in many instances revolved around simply replacing the asset ID.
Darabi has made a pretty penny reporting bugs to Facebook, with a bug reported in 2015 that netted him $15,000 from the social media giant and $7,500 for another bug reported in 2016. All told, Facebook has shelled out well in excess of $5 million in its bug bounty program. It’s enough to make you want to spend some time locking down your Facebook account.
Editors' Recommendations
- Facebook’s new privacy tool convinced me to delete my account
- Apple finally expands its bug bounty program to accept MacOS bugs
- Google’s Android bug bounty program announces a $1 million prize
- Tesla squashes Dog Mode bug that could have let cars get too hot
- Facebook let advertisers target you using two-factor authentication numbers
