Vulnerability in the new design of Facebook can be used to delete the profile photo of any user.We are talking about the design of the FB5, which the social network presented in April at the F8 conference.
The issue was reported by a cybersecurity researcher Philippe Harewood.
According to Harewood, the new site design uses the GraphQL call to delete the profile photo. Same mechanism that can be used for malicious purposes, expert believes.
“The name of the GraphQL call for these specific purposes is profile_picture_remove. Under normal circumstances, this call should accept the page identifier in the profile_id field. By changing this identifier to the profile ID of any user, an attacker will be able to delete a photo of his profile”, – writes Harwood on his blog.
It is worth noting that the deletion of the photo does not happen irrevocably – if desired, the affected user will be able to return it.
Filipe Harewood has published a PoC code with which you can use this bug.
Facebook confirmed the problem and paid the researcher $ 2,500.
“We recently ran a program where we granted a select group of researchers early access to FB5, the new design for Facebook that we announced at our F8 conference. One of these researchers, Philippe Harewood, identified a bug in the new interface that could have allowed someone to remove another person’s profile photo. We thank Philippe for sharing this bug so we could fix it before FB5 rolls out worldwide”, — reported in Facebook.