Thursday, June 4, 2020

Another image removal vulnerability on Facebook


Delete any Image on Facebook using Series Feature

delete vulnerability

I noticed the Series Feature was added to Facebook Creator Studio therefor I start digging on it.


A request containing image ids will be sent, by inserting images in the "Poster Art" or "Cover Image" sections after creating a series

Modifying that request with another image-id will create a series containing that image. Finally, deleting the series also makes the victim's image (which is the series property) to be deleted too.


Kudos to the Facebook security team for resolving this vulnerability instantly.

2 May 2020, 09:10 – Report Sent
2 May 2020, 10:39 – Triaged
2 May 2020, 22:46 - Fixed
2 Jun 2020,  $10,000 Bounty awarded