Image removal vulnerability in Facebook polling feature
Delete any
Image on Facebook
When I was checking out facebook's new features, I noticed that polling feature were added to the posts so I start working on it.
Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.
When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
 |
| Our uploaded image has been replaced by victim's image |
At the end when we try to delete the poll, victim's image would be deleted with it by facebook as a poll property.
POC:
I appreciate Facebook security team for resolving this vulnerability quickly.
TimeLine:
3 Nov 2017, 03:16 – Report Sent
3 Nov 2017, 15:25 – Triaged
3 Nov 2017, 16:46 - Temporary fix
5 Nov 2017, 15:03 - Permanent fix
8 Nov 2017 $10,000 Bounty awarded
You such a genius bro.. congrats on your bounty
ReplyDeletehi can i pm you please
ReplyDeletewhat program do use??
ReplyDeleteHe used 'burp suite' for handling http request from facebook.
Delete