Skip to main content

Facebook squashes bug that let anyone delete any picture or animation

Facebook 3D posts
Image used with permission by copyright holder
If you’re putting your life out there on Facebook, then you’re probably hoping your priceless images remain around for all posterity. At the very least, you want to be the one to remove them from the site should you decide they contradict your recent conversion to Buddhism. Fortunately for you and every other Facebook user, a bug was discovered and fixed that would have allowed anyone to easily delete your pictures and animated GIFs.

As reported by Security Week, the flaw was identified by Iranian security researcher Pouya Darobi, who was taking a look at a new Facebook polling feature and discovered a simple method for deleting any image or animation posted on Facebook. Thanks to Facebook’s generous bug bounty program, which put $10,000 in Darobi’s bank account, the bug was promptly reported and Facebook implemented a temporary fix on November 3, the day the bug was reported. A permanent fix came out on November 5.

At the heart of the program was a new polling feature that Facebook rolled out at the beginning of November. The feature allows users to create polls and add pictures and GIF animations. The poll creation process generates code that includes the unique image identification number for each picture and animation that is included with the poll.

If the poll post was subsequently deleted, then the images were deleted as well. The problem was caused by the ability to replace the image ID in the code with that of any other image on Facebook, including images owned by other users. Deleting the post deleted those images as well.

This is not the first bug that allowed users to delete Facebook materials. Other bugs have been discovered by researchers, like Darabi, that allowed the deletion of comments, videos, and photos. Like this bug, the method in many instances revolved around simply replacing the asset ID.

Darabi has made a pretty penny reporting bugs to Facebook, with a bug reported in 2015 that netted him $15,000 from the social media giant and $7,500 for another bug reported in 2016. All told, Facebook has shelled out well in excess of $5 million in its bug bounty program. It’s enough to make you want to spend some time locking down your Facebook account.

Editors' Recommendations

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
Facebook admits to Messenger Kids security flaw but insists it’s fixed
unicef global innovations children youth summit kids using a tablet

Facebook missed a troubling design flaw in its Messenger Kids app that allowed children to communicate with users who hadn’t been approved by their parents.

The social networking giant launched the app in 2017, touting it as a way for children under 13 to “safely video chat and message with family and friends.” Parents set up Messenger Kids by authorizing it through their own Facebook account and then selecting the users with whom they’re happy for their child to connect.

Read more
A Facebook, Instagram bug exposed millions of passwords to its employees
Crisis Response Hub

Facebook software meant to disguise user passwords from employee access failed, leaving millions of passwords visible to the network's employees,  the company said on Thursday, March 21. The network said the bug was discovered in a routine review in January and has since been corrected. The bug exposed passwords for users on Facebook, Facebook Lite, and Instagram.

Facebook hasn’t found any evidence that the passwords were compromised externally -- the bug only exposed plain text passwords for the company’s employees, according to Facebook. The company also said they haven’t found evidence of internal employees abusing the information. Facebook didn’t say why it delayed telling users after finding the bug in January.

Read more
Did you give Facebook your phone number? You can’t delete it or make it private
voice assistants arent ready facebook targeted ads iphone x

Setting up two-factor authentication is usually a recommended move to keep important accounts secure -- but on Facebook, adding a phone number could impact privacy. After a tweet from a user complaining that Facebook required a phone number for two-factor authentication, Facebook’s iffy data practices are once again in the spotlight, this time with what actually happens to your phone number when adding two-factor authentication.

The practice coming into question isn’t new -- just highlighted by a new round of complaints. Facebook has offered two-factor authentication since 2011. The company says that phone numbers added to an account, including areas outside of two-factor authentication, are then linked to the account. Facebook uses those phone numbers for more than just security, using them for ad targeting if a business also has that same phone number and allowing other users to find their profile by typing the phone number into the search bar.

Read more