Another image removal vulnerability on Facebook
Delete any Image on Facebook using Series Feature
I noticed the Series Feature was added to Facebook Creator Studio therefor I start digging on it.
A request containing image ids will be sent, by inserting images in the "Poster Art" or "Cover Image" sections after creating a series
Modifying that request with another image-id will create a series containing that image. Finally, deleting the series also makes the victim's image (which is the series property) to be deleted too.
POC:
Kudos to the Facebook security team for resolving this vulnerability instantly.
Timeline:
2 May 2020, 09:10 – Report Sent
2 May 2020, 10:39 – Triaged
2 May 2020, 22:46 - Fixed
2 Jun 2020, $10,000 Bounty awarded
