Even the top most websites with billions of turnover can have vulnerabilities. That is the reason these companies conduct bug bounty programs that offer a valuable amount of money to developers to find bugs and vulnerabilities.
Earlier this month, an Iranian web developer, Pouya Darabi has discovered a critical vulnerability in Facebook that lets anyone delete to delete any photo from the social media platform. This loophole resides in Facebook’s new Poll feature launched earlier this month which lets the users create polls that include GIF’s and images.
When Darabai was analyzing this feature, he came to know that when a poll is created by a user, a request will be sent to the Facebook servers with image ID of any photo chosen on the social media network which could be replaced by anyone. Now, when the image ID is changed in the URL, that particular image will be shown in the poll.
“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in poll.”
Moreover, if the poll creator deletes the poll, it would eventually delete the original image sourced from someone else’s page permanently.
As soon as Darabi discovered the vulnerability he reported the bug to Facebook on November 3 and the social media giant has immediately responded to it and released a temporary fix for it on November 3rd followed by a permanent fix on November 5th. Later on November 8th, Facebook awarded him $10,000 bounty for preventing potential damage to both users as well as the social media giant’s reputation in general.
Image removal vulnerability in Facebook polling featurehttps://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html
Posted by Dynamic World on Tuesday, 21 November 2017
This isn’t the first time when Darabi has received a reward from Facebook. Previously, in 2015, the company awarded him $15,000 bug bounty for avoiding the system of protection against cross-site request forgery (CSRF). And in 2016, he earned another $ 7,500 dollars for finding a similar issue.