Facebook flaw allowed unauthorised users to delete any photo

They moved fast, they broke things.

Facebook flaw enabled unauthorised users to delete any photo

"Move fast and break things" used to be the mantra of Facebook's developers, emphasising speed of rolling out new features rather than necessarily caring about how well they may have been implemented.

They may not promote that motto quite so heavily these days, but it's clearly still an issue that innovation may sometimes be considered more important than security and privacy.

For instance, a security researcher found a way of deleting *any* photo on Facebook after the social network rolled out a new polling feature.

As Eduard Kovacs at Security Week reports:

In early November, Facebook announced a new feature for posting polls that include images and GIF animations. Iran-based security researcher and web developer Pouya Darabi analyzed the feature shortly after its launch and discovered that it introduced an easy-to-exploit flaw.

When a user created a poll, the request sent to Facebook servers included the identifiers of the image files added to the poll. The expert noticed that users could replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.

Darabi then discovered that once the creator of the poll deleted the post, the image whose ID was added to the request would also get removed from Facebook.

This kind of boo-boo suggests a more serious permissions-based problem with Facebook. You may be able to add any image that you can find on Facebook ("read access") but there's no way that that should translate into meaning that you can also command Facebook to delete the image ("write access").

Darabi has won a $10,000 bug bounty for his discovery, and Facebook says that it patched the security hole earlier this month.

Hmm. Actually it's kind of a shame that the hole has been fixed.

I can imagine it would be a handy way to force the take down of distressing images that others have posted of you on the network, either because they tagged you in pictures that made you look fat or because they were intimate photos being shared by a vengeful ex-partner.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

,

No comments yet.

Leave a Reply