Today , I'll share with you one of the most critical bugs we've found in Facebook , through this bug we were able to delete any image located in Facebook CDN server as result delete any image shared on Facebook ( public & private photos).
In June 12 2020 , I was trying to make some bug hunting on Facebook , so I entered to one of my pages and browsing it to see if is there any new feature added , I started with the "create post " options and noticed that there is a new type of post called "Get Gift Card Purchases " , so let's test it !
Basically , " Get Gift Card Purchases" , is a type of posts that contains
Post Caption [ Text]
Image [ uploaded by the admin of the page ]
Before publishing the post , intercept the request and let's take a look at the endpoint
After publishing the post , I browsed the post and look at the photo published on it , if it has the same photo id of the original post ( victim photo ) , and luckily yes ! it has the same id [ in some endpoints , Facebook will check if the photo_id contain a public photo id and it takes it and return a new object different than the original post ] .
so let's try to delete this post to see if the original photo will be deleted too because this post contain a photo id belongs to another user ... unfortunately I tried it many times and didn't work :( so no bug was found .
I reported it under this title "Uploaded images in "Get Gift Card Purchases " posts , are still public after deleting the original post by the admin"
I reported it in 13 June 2020 , and before it has been triaged ( I've been asked about something related in Rate Limiting evaluation ) , so after 9 days from initial report , one of the security team replied to me that the rate limit does not qualify here but wait! he said also a very important thing !
It appears that the post does take time to be deleted
I was surprised since I tested the delete photo scenario a lot of times and I found that the photos are still public ! this report got closed as Non- Applicable ! and I got frustrated !
After I noticed the reply from the security team analyst ( post does take time to be deleted ) , I tested it again and yes I found that it takes 20-40 second to see that the post was deleted ! I re-test the first scenario included in this blog and it worked , I can delete any image on Facebook.
1-Intercepting the request
2-changing photo_id to the victim photo id
3-Delete the post
4- Wait 20-30 second and you'll see the result , the photo will be deleted !
We should noted here that the endpoint was accepting any photo id stored in the Facebook CDN SERVER so we were able to delete any private photo in Facebook , Messenger , Workplace and any product belongs to Facebook that used fbcdn to store its images.
To focus on the High impact of this bug , let's take the President Donald Trump as an example
As you know that in the last month , Twitter took action on Trump tweets as result the president Trump threatened to “shut down” social media companies, personally targeted a Twitter employee, and signed an executive order that would affect the entire internet. , in contrast Facebook refused to remove Trump posts .Just imagine what if we deleted the Trump campaign from his official Facebook page by abusing this bug?