After Instagram polls, Facebook decided to give their users a polling service as well. This new feature rolled out about a month ago and it gave users the ability to use gif images as poll reactions. What Facebook didn’t know is that this feature had a loophole that allowed a malicious actor to delete your photos from Facebook.
The person who discovered this exploit is Pouya Darabi and Facebook gave him a $10,000 reward for reporting this issue. Darabi explained in his blog post how someone could use this exploit to delete images.
“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][associated_image_id] contains the uploaded image id.”
“When this field value changes to any other images ID, that image will be shown in the poll. After sending the request with another user image ID, a poll containing that image would be created.”
This just shows how easy it would be to replace the poll image with any image from any Facebook profile, but that’s not all. Once a malicious actor replaces his image with the victim’s image all he has to do is to delete the poll. That would remove the poll along with the victim’s image from Facebook without them even knowing what happened.
The whole process takes about a minute and is shown in the video below
Image removal vulnerability in Facebook polling featurehttps://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html
Posted by Dynamic World on Tuesday, November 21, 2017
The good news is that this exploit no longer works. Facebook was fast to fix the bug and everything is safe again, for now.
If you think that you’ve discovered an exploit that would be worth checking out consider reporting it here. Facebook offers a minimum reward of $500 for bug reports that are worthy of their attention.