Deleting Facebook Event&Group cover pics

Hi Friends 🙂

Here is a small logical flaw with facebook at event and group corner.
title should be deleting facebook event&group cover pic with image id reference flaw

Facebook  use numerical id’s  to identify each objects like video,url,feed,photos,event,groups etc  .So i was checking the event corner and i got a logical flaw with image id’s i thought of developer logic while building this

Test : If any random invitee of the event post any pic on event wall and if later on that pic is being utilized by the admin of the event as a event cover pic then can we do any malicious stuffs with it ?

that’s straight ! but what could be wrong with this method ? its a right of an admin to utilize the assets of event or the object he/she belongs to !

ok lets dig deep for that i first created 2 accounts A admin of event and B normal user
Now i posted on the behalf of user B and from Admin  account i tried to use that image as event cover pic . I noticed that  fb was assigning  same image id as it was assigned to the original poster B while posting it so WHAT ?

Imagine now the original poster B is being removed by the admin A from the event and now he don’t have accessed to the assets like notes,pics of that particular event . He cannot interact with them or visit them right !

But according to graph documentation the app which have created any node only have permissions to delete it !  so the user B still have delete right’s

Now  exploitation –> on triggering  Delete Request to that image id like
Delete /736667463112529
  via graph api  the result was 200  boom now when admin will refresh the page he will find that event cover pic is now being also deleted due to direct reference to image id .

This flaw was is in both facebook events and groups I reported this to facebook under the category malicious use of functionality however it was more over logical flaw being itself a vulnerability .

but the team was immediate to acknowledge the report .

Now issue has been Fixed  both from client side as well as from api side.

Fix in place : Now  facebook will generate unique id of photos whenever anyone try to use it as cover pic instead of using same id .

Here is a Video Poc ? 

cheers !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s