This post is about an bug that I found on Facebook which used to delete any publicly visible photos by editing the series feature
Already a image removal vulnerability was found in same series feature by another researcher Pouya Darabi . this writeup is a bypassing the fix in different scenario.
The series has a option to set photos in Poster Art (Mandatory) and Cover Image as (optional)
When Creating a new series if attacker tries to modify the photo object of Poster Art and Cover Image the server validation was done properly and return a error. but when editing the series the Ownership check validation for Cover Image was missing.so any publicly visible photo id in Facebook can be associated with the Cover Image.
While replacing the “custom_thumbnail_id=xxx” value into any photo id and it will get associated with the series.
POST /media/manager/shows/edit_show_metadata/?show_id=xxx&title=xxx&description=&custom_thumbnail_id=xxx&is_serialized=false&poster_art_id=xxx&session_id=xxx&av=xxx HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept-Encoding: gzip, deflate
Cookie: sb=xxx; datr=xxx; dpr=1.25; c_user=xxx;__user=xxx&__a=1&fb_dtsg=xxx
and when deleting the series. all season videos, Poster Arts and Cover Images including victim’s photo also get deleted. but to completely delete the series . it will take around 30 to 45 seconds.
This issue was reported during BountyCon2020 event submission and Thank you Facebook Team for quickly addressing and fixing this issue.
5-Oct-2020: Report Sent
05-Oct-2020 : Further investigation by Facebook & Temporary Fix
10-Oct-2020: $10000 bounty + $750 bonus awarded by Facebook
31-Oct-2020: Fixed confirmed by Facebook and me