Loading post ...

Hello Community!

Today , I'll share with you one of the most critical bugs we've found in Facebook , through this bug we were able to delete any image located in Facebook CDN server as result delete any image shared on Facebook ( public & private photos).

Get Gift Card Purchases posts

In June 12 2020 ,  I was trying to make some bug hunting on Facebook  , so I entered to one of my pages  and  browsing it to see if is there any new feature added ,  I started  with the "create post " options and noticed that there is a  new type of post  called "Get Gift Card Purchases " , so let's test it !

Basically , " Get Gift Card Purchases" , is a type of posts that contains 

Post Caption [ Text]

Image [ uploaded by the admin of the page ]

Website URL

Before publishing the post , intercept the request and let's take a look at  the endpoint

 POST /gift_card/create/?referrer=composer_sprout&photo_id=1529786160520037&page_id=122808658427912&website_url=www.sss.com&message=sdsd&default_photo_url=  

So trying to change the photo_id  to any other photo id shared on Facebook ,  and Yes! the photo will be published successfully on the page !  

After publishing the post , I browsed the post and look at the photo published on it , if it has the same photo id of the original post ( victim photo ) , and luckily yes ! it has the same id  [ in some endpoints , Facebook will check if  the photo_id contain  a public photo id and  it takes it and  return a new object different than the original post ] . 

 so let's try to delete this post to see if the original photo will be deleted too because this post contain a photo id belongs to another user  ... unfortunately I tried it many times and didn't work :( so no bug was found .

Non Applicable Report 

Since the photo included in the " Get Gift Card Purchases "  will be not deleted once the admin delete the post , so I  checked the following scenario , if an admin in a page uploaded a photo on these type of posts(Get Gift Card Purchases)  then he decided to delete that post later , the photo included in this post will be not deleted so a malicious user  is able to access it by brute forcing the photo id till he found it .

I reported it under this title "Uploaded images in "Get Gift Card Purchases " posts , are still public after deleting the original post by the admin"

I reported it in 13 June 2020 , and before it has been triaged  ( I've been asked about something related in Rate Limiting evaluation ) , so after 9 days from initial report , one of the security team  replied to me that the rate limit does not qualify here but wait! he said also a very important thing !

It appears that the post does take time to be deleted

I was surprised since I tested the delete photo scenario a lot of times and I found that the photos are still public ! this report got closed as Non- Applicable ! and I got frustrated !

From N/A to HIGH IMPACT [$10, 000] 

After I noticed the reply from the security team analyst  ( post does take time to be deleted ) , I tested it again and yes I found that it takes 20-40 second to see that the post was deleted ! I re-test the first scenario included in this blog and it worked , I can delete any image on Facebook. 

1-Intercepting the request
2-changing photo_id to the victim photo id 
3-Delete the post 
4- Wait 20-30 second and you'll see the result , the photo will be deleted !

 We should noted here that the endpoint was accepting any photo id stored in the Facebook CDN  SERVER so we were able to delete any private photo in Facebook , Messenger , Workplace  and any product belongs to Facebook that used fbcdn to store its images.  

Deleting Donald Trump campaign post ?

To focus on the High impact of this bug , let's take the President Donald Trump as an example 

 As you know that in the last month , Twitter took action on Trump tweets as result the president Trump threatened to “shut down” social media companies, personally targeted a Twitter employee, and signed an executive order that would affect the entire internet. , in contrast  Facebook  refused to remove Trump  posts .Just imagine what if  we deleted the Trump campaign  from his official Facebook page by abusing this bug?