New features in software always bring bugs. Still, some are worse than others.
When Facebook rolled out its new polling feature earlier this month, which allows people to post votable questions on anything from what to have for dinner to what dress to wear at a prom dance, it also inadvertently opened the door for hackers to delete any picture on the network.
Security researcher Pouya Darabi discovered this bug in early November. When someone created a poll, he found, it would send a request to Facebook servers that included a unique ID for the picture or GIF included. At that point, as Darabi explains in a blog post, he could replace that ID with the ID of any other picture on the network, even ones other people had uploaded. That way, the poll he’d created would include other people’s pictures, even ones that are not set to public.
Then, when he deleted his own poll, the image included (the one taken from someone else's page) was completely deleted from Facebook—and not just from the poll. It’s unclear how Darabi could obtain the ID of other people’s photos, but it’s possible that all a malicious hacker had to do was to guess a random number until he or she got an image.
Facebook quickly fixed the bug after Darabi reported it, according to the researcher. For his discovery, Facebook rewarded Darabi with $10,000, he said. In an email to Motherboard, Facebook confirmed the researcher's story. This is not the first time independent security researchers have found such bugs in Facebook. In 2015, another researcher found one that allowed him to delete any picture on the site. Others have found similar bugs to delete comments and videos. All these have been fixed.
And, of course, awful bugs aren’t just on Facebook. Last month, a security researcher found that he could access a list of all Google’s bugs without any authorization, opening the door for malicious hackers to get advance notice of critical vulnerabilities on Google, which they could have used to their advantage before the bugs were fixed.
Download SafeUM — communicate privately, without advertising and spam.
110 Reykjavik, Iceland