If you think a website whose value can be more than $500 billion does not have any vulnerability in that will, then you are wrong.
Pouya Darabi, an Iranian web developer, discovered as well as reported a critical yet straightforward vulnerability in Facebook earlier This kind of month that will could have allowed anyone to delete any photo through the social media platform.
The vulnerability resides in Facebook’s fresh Poll feature, launched by the social media giant earlier This kind of month, for posting polls that will include images as well as GIF animations.
Darabi analyzed the feature as well as found that will when creating a fresh poll, anyone can easily replace the image ID (or gif URL) within the request sent to the Facebook server with the image ID of any photo on the social media network.
today, after sending the request with another user image ID (uploaded by someone else), that will photo would likely appear within the poll.
“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][associated_image_id] contains the uploaded image id,” Darabi said. “When This kind of field value alterations to any some other images ID, that will image will be shown in poll.”
Apparently, if the creator of the poll deletes that will post (poll), as demonstrated within the video above, that will would likely eventually delete the source photo as well, whose image ID was added to the request—even if the poll creator doesn’t own that will photo.
The researcher said he received $10,000 as his bug bounty reward through Facebook after he responsibly reported This kind of vulnerability to the social media network on November 3. Facebook patched This kind of issue on November 5.
This kind of isn’t once when Facebook has been found dealing with such a vulnerability. within the past, researchers discovered as well as reported several issues that will let them delete videos, photo albums, as well as comments as well as modify messages through the social media platform.
Darabi has also previously been awarded by Facebook using a $15,000 bug bounty for bypassing its cross-site request forgery (CSRF) protection systems (in 2015) as well as another $7,500 for a similar issue (in 2016).