Facebook flaw allowed unauthorised users to delete any photo

Graham Cluley

Facebook flaw enabled unauthorised users to delete any photo

Facebook flaw enabled unauthorised users to delete any photo

“Move fast and break things” used to be the mantra of Facebook’s developers, emphasising speed of rolling out new features rather than necessarily caring about how well they may have been implemented.

They may not promote that motto quite so heavily these days, but it’s clearly still an issue that innovation may sometimes be considered more important than security and privacy.

For instance, a security researcher found a way of deleting *any* photo on Facebook after the social network rolled out a new polling feature.

As Eduard Kovacs at Security Week reports:

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

This kind of boo-boo suggests a more serious permissions-based problem with Facebook. You may be able to add any image that you can find on Facebook (“read access”) but there’s no way that that should translate into meaning that you can also command Facebook to delete the image (“write access”).

Darabi has won a $10,000 bug bounty for his discovery, and Facebook says that it patched the security hole earlier this month.

Hmm. Actually it’s kind of a shame that the hole has been fixed.

I can imagine it would be a handy way to force the take down of distressing images that others have posted of you on the network, either because they tagged you in pictures that made you look fat or because they were intimate photos being shared by a vengeful ex-partner.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES