Thursday, June 4, 2020

Another image removal vulnerability on Facebook


  3 comments

Delete any Image on Facebook using Series Feature

delete vulnerability





I noticed the Series Feature was added to Facebook Creator Studio therefor I start digging on it.
 

Series



A request containing image ids will be sent, by inserting images in the "Poster Art" or "Cover Image" sections after creating a series



Modifying that request with another image-id will create a series containing that image. Finally, deleting the series also makes the victim's image (which is the series property) to be deleted too.

POC:

Kudos to the Facebook security team for resolving this vulnerability instantly.



Timeline:
2 May 2020, 09:10 – Report Sent
2 May 2020, 10:39 – Triaged
2 May 2020, 22:46 - Fixed
2 Jun 2020,  $10,000 Bounty awarded