Thursday, June 4, 2020

Another image removal vulnerability on Facebook

10:13 AM

Delete any Image on Facebook using Series Feature

delete vulnerability

I noticed the Series Feature was added to Facebook Creator Studio therefor I start digging on it.


A request containing image ids will be sent, by inserting images in the "Poster Art" or "Cover Image" sections after creating a series

Modifying that request with another image-id will create a series containing that image. Finally, deleting the series also makes the victim's image (which is the series property) to be deleted too.


Kudos to the Facebook security team for resolving this vulnerability instantly.

2 May 2020, 09:10 – Report Sent
2 May 2020, 10:39 – Triaged
2 May 2020, 22:46 - Fixed
2 Jun 2020,  $10,000 Bounty awarded

Read More

Monday, December 9, 2019

Media deletion CSRF vulnerability on Instagram

  No comments
10:27 PM

Media deletion CSRF vulnerability on Instagram

I noticed a copyright section has been added to instagram. whenever a user violated another person copyright, a notification will be shown to delete or request an appeal for the media.

After uploading a video containing a music I faced with copyright
It was interesting to me, so I started digging into it.

It was possible to delete media by a GET request

Vulnerable Endpoint:{MEDIA_ID}/copyright/dismiss_am/

The MEDIA_ID is a {story_id or post_id} that will be deleted

Opening the malicious link within the both Instagram app or web cause media deletion in the victim's account.

Android POC: Remove story CSRF in android

Web POC: Remove post CSRF in web

User could be tricked into deleting content they had posted on Instagram.

January 29, 2019 – Report Sent
January 29, 2019 – Triaged
January 30, 2019 - Permanent fix
February 14, 2019   $3,000 Bounty awarded

Read More

Saturday, November 25, 2017

Image removal vulnerability in Facebook polling feature

2:12 PM

Delete any
Image on Facebook

When I was checking out facebook's new features, I noticed that polling feature were added to the posts so I start working on it.


Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.

When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
Our uploaded image has been replaced by victim's image

At the end when we try to delete the poll, victim's image would be deleted with it by facebook as a poll property.


I appreciate Facebook security team for resolving this vulnerability quickly.

3 Nov 2017, 03:16 – Report Sent
3 Nov 2017, 15:25 – Triaged
3 Nov 2017, 16:46 - Temporary fix
5 Nov 2017, 15:03 - Permanent fix
8 Nov 2017   $10,000 Bounty awarded

Read More

Tuesday, May 17, 2016

How I bypassed Facebook CSRF once again!

9:52 AM

I found a vulnerability in Facebook that allowed me to create arbitrary form in Facebook that send a POST request with CSRF token to any Facebook endpoints or external hosts!

It was very similar to this bug which I found in 2015.

Read More

Thursday, April 9, 2015

How I bypassed Facebook CSRF Protection

2:35 AM

bypass facebook csrf 2015

I discovered a critical vulnerability in Facebook that allowed an attacker to bypasses Facebook CSRF protection!

more information about CSRF at owasp

Read More

Sunday, March 15, 2015

Bypass ad account roles vulnerability 2015

  1 comment
2:04 PM

facebook exploit 2015

I discovered a vulnerability in Facebook that allowed a normal user in ad account to get unauthorized admin access in that ad account

admins in ad account  can add any user to their ad account with these 3 type of  role :

  1. admin
  2. advertiser
  3. analyst
read more about these roles link

Read More