Delete any Photo from Facebook by Exploiting Support Dashboard — $12,500 Bug

Hello,

I want to share a critical bug in Facebook that allowed deleting any photo without user interaction. Initially, the Facebook team could not reproduce this bug, but I persisted: I sent them a video proof of concept and clearly explained the issue using demo accounts. Facebook patched the vulnerability and rewarded me $12,500 for reporting it.

Initial Response from Facebook

Bug Approval

Bounty Confirmation

Observation

The Support Dashboard is a portal designed to help you track the status of reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24/7.

This flaw mainly exists in the mobile domain. In the Support Dashboard, if a reported photo is not removed by the Facebook team, users have the option to send a Photo Removal Request to the photo owner via messages. When a user sends a claim message, Facebook’s server automatically generates a photo removal link and sends it to the owner. If the owner clicks that link, the photo will be removed.

How this Vulnerability Works

Due to improper server-side validation, an attacker can exploit this vulnerability by manipulating photo_id and the owner’s profile_id in order to receive a photo removal link for any photo in their messages. Later, it is trivial for an attacker to remove the photo by visiting the photo removal link. Facebook did not notify users when their photo was removed.

Vulnerable URL

The vulnerable URL contained parameters cid and rid. An attacker could modify the photo_id (cid) and profile_id (rid) to trigger sending a photo removal link to the attacker’s inbox.

• cid = Photo ID (target photo to be removed)
• rid = Profile ID (attacker’s profile id)

Video POC

Hall of Fame

---

Tags: Vulnerability · Facebook · Bug Bounty · Photo Deletion