Pierluigi Paganini August 20, 2019

A security vulnerability in the Facebook design (FB5) could have allowed attackers to remove any photo from profiles of the users.

The security expert Philippe Harewood is one of the security researchers that received early access by Facebook to the new FB5 design and discovered an important design flaw.

Harewood explained that the issue affects the GraphQL that is a feature implemented in the new design to remove profile pictures from Facebook fan pages. The design vulnerability could be abused by attackers to delete photos from the profiles of the users.

“The profile_picture_remove mutator is the name of the GraphQL call for this specific mutation. Normally, the mutation accepts a page identifier in the profile_id field for a Facebook page. Changing the identifier for any user profile allowed a malicious user to dissociate the user’s profile picture.” reads a blog post published by Harewood.

The researcher also published a proof-of-concept (PoC) code that allowed him to remove the profile photo from any targeted user’s account.

Harewood pointed out that the original photo removed exploiting the flaw was still available, this means that a user is able to set the profile picture back to the original in an easy way.

Facebook acknowledged the vulnerability and awarded the researcher a $2,500 as part of its bug bounty program.

“We recently ran a similar program where we granted a select group of researchers early access to FB5, the new design for Facebook we announced at our F8 conference. One of these researchers, Philippe Harewood, identified a bug in the new interface that could have allowed someone to remove another person’s profile photo. If this bug was exploited, a person’s profile photo would appear blank.” reads a post published by Facebook. “However, the photo would still be saved in the person’s account and available to upload. We thank Philippe for sharing this bug so we could fix it before FB5 rolls out worldwide. You can read more about his finding here.”

Facebook also announced that it is expanding its Data Abuse Bounty program to include Instagram. The social network giant will launch an invitation-only bug bounty program for the Checkout feature implemented in Instagram.

“Checkout on Instagram allows people to purchase products directly on Instagram without leaving the app. To continue to ensure this feature’s security as we expand globally, we’ve invited a select group of security researchers to stress test it.” concludes Facebook.

“We are exploring other opportunities to tap into the expertise of researchers who consistently submit high-quality research to our bug bounty program and invite them to test new features prior to launch.”

Pierluigi Paganini

(SecurityAffairs – Facebook, bug bounty)

[adrotate banner=”5″]

[adrotate banner=”13″]