Saturday, November 25, 2017

Image removal vulnerability in Facebook polling feature


  4 comments

Delete any
Image on Facebook





When I was checking out facebook's new features, I noticed that polling feature were added to the posts so I start working on it.

POLL


Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.




When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
Our uploaded image has been replaced by victim's image

At the end when we try to delete the poll, victim's image would be deleted with it by facebook as a poll property.

POC:


I appreciate Facebook security team for resolving this vulnerability quickly.

TimeLine:
3 Nov 2017, 03:16 – Report Sent
3 Nov 2017, 15:25 – Triaged
3 Nov 2017, 16:46 - Temporary fix
5 Nov 2017, 15:03 - Permanent fix
8 Nov 2017   $10,000 Bounty awarded



4 comments :