Recently, an Iranian web developer Pouya Darabi discovered a critical vulnerability in Facebook that allows anyone to delete the photos from another Facebook users’ account. This vulnerability existed in Facebook’s new poll feature which is launched earlier of this month for posting photos and GIFs.
Darabi analyzes the poll feature and found a bug while creating a poll that allows anyone to replace the image ID or GIF ID in the request with another image ID or GIF ID from social media posts. After sending the request, the modified image appears in the poll.
“Whenever a user tries to create a poll, a request containing GIF URL or image id will be sent, poll_question_data[options]  [associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in the poll.”
If the creator of the poll deletes the image from the poll, then it will finally delete the source image too whose id was added in the request which is modified while posting.
Facebook rewarded the researcher by paying him $10,000 bug bounty reward because he responsibly reported this vulnerability to Facebook on November 3 and this vulnerability is patched on November 5.