Security researchers uncovered a dangerous Facebook bug which allows hackers and malicious users to delete photos of users without accessing their accounts. The vulnerability was found to be part of the newly implemented poll feature.
Facebook Bug Can Trigger Arbitrary Photo Deletion by Malicious Users
Facebook being the the most important social media has been found to contain a yet another security vulnerability. An Iranian security expert disclosed a bug in the system that practically allows anyone to delete a photo (or another type of posted image) from any Facebook user without needing access to their account. Following the investigation the problem was identified in a new feature related to the poll function of the social network. The researcher discovered that the Facebook programmers have made a flaw in the code which allows malware users to manipulate the site into deleting the posted content.
The discovery comes as a surprise as the poll feature was introduced earlier this month both on the desktop site and the mobile applications. It is used by Facebook’s users to create polls and upload photos or animated GIF pictures to go alongside the proposed options. This procedure actually holds the vulnerable code which is actually a flaw in the implementation.
How the Facebook Bug Works
The principle behind the discovered Facebook bug is actually pretty simple. Every time a user creates a poll on the site the field values containing images are posted by sending a network GET request to the remote host location. Like other web components every image is assigned a certain component or ID automatically. The security researcher uncovered that if the image is changed the exact ID will be exposed in the poll itself.
Facebook relies heavy on a complex script engine that powers the site which allows users to execute commands on it if they have access to the necessary values and permissions. Since the image ID was exposed and the site allows commands execution the poll creator can effectively delete anyone’s photo on Facebook by using the discovered image ID.
Similar abuse is not unknown to Facebook. In the past web developers and security experts reported a Graph API technique which also allows image deletion of photos from Facebook users without accessing their accounts directly. The reported incidents and vulnerabilities showcase that while the social networks continues to grow by adding new features it should focus more on tighter security and thorough code analysis. Fortunately no abuse has been reported so far.