Facebook
A security flaw in Facebook allowed anyone to delete images uploaded by other users. Simon/Pixabay

A security researcher discovered a bug that allowed anyone who created a poll on Facebook using its recently introduced polling feature to delete any photo by any person uploaded to the social network.

Pouya Darabi, a web developer and security researcher, first found the issue in early November and reported the issue to Facebook. He was rewarded $10,000 for identifying the issue, which has since been fixed to prevent it from being exploited.

The issue stemmed from Facebook’s recent update to its polls feature that allows users to list photos and GIFs as possible answers. Other users then vote in the poll by selecting one of the choices provided by the poll’s creator.

While the new support for GIFs and photos opened the polling feature up to new types of responses, it also created a new vulnerability that Darabi was able to exploit to delete any image hosted on the social network.

The security researcher was able to accomplish the exploit by keying in on the unique identifier that is generated for each picture or GIF that is included in the poll. The number is provided to every image uploaded to Facebook.

By changing that unique ID to the number provided to any other image uploaded to Facebook, Darabi discovered he could make any image—even those uploaded by another user—appear in the poll.

More troubling, the exploit could be used to actually delete a photo uploaded by someone else. By changing the image ID in the poll to another photo’s numerical identifier and then deleting the poll, the image associated with the ID was also deleted—erasing someone else’s photo without their permission.

The issue would occur because Facebook would assume the ID of the photo in the poll was a photo or GIF uploaded by the poll’s creator. When the poll is deleted, the image is deleted too as it is considered part of the poll.

According to the security researcher, Facebook acted swiftly in response to the disclosure of the vulnerability. Darabi submitted the bug to the social network on November 3 and Facebook created a temporary fix for the issue about 13 hours later. By November 5, the issue was officially patched and Darabi was awarded the $10,000 bug bounty on November 8.

The incident is not the first time a flaw in Facebook allowed any person to delete a photo. In 2015, a security researcher discovered a method for deleting any photo on the site by executing a simple command in Facebook’s Graph application program interface that would delete any person’s photo album.

Similar bugs have been discovered in the past that allow attackers to delete comments posted by other users or remove videos that someone else uploaded—both of which were discovered in the last two years.