Deleting anyone’s Facebook photo, a bug that earned researcher $10,000

The social media giant Facebook has more than 2 billion monthly active users so when there is a bug in it, that’s big news. Recently an Iranian security researcher discovered a critical bug that allowed anyone to delete any photo from any user on Facebook without having access to their account.

The researcher who goes by the name of Pouya Darabi, found the bug while going through new features introduced by Facebook and noted that that the newly added “poll feature” on the site carried the flaw that could be exploited to remove photos from an account without user knowledge or permission.

Facebook introduced the poll feature earlier this month for its website and mobile app. It allows users to create polls and also upload photos or GIFs to go along with each option. Darabi noted that whenever he tried to create a poll, a request containing gif URL or image ID was sent and when this field value was changed to any other images ID, that image will be shown in the poll. After sending a request with another user image ID, a poll containing that image would be created. Once he deleted the poll, Facebook would remove the victim’s image as a poll property.

This means a poll creator could delete anyone’s photo on Facebook by just using the image ID without needing to log in to a victim’s account. “Whenever a user tries to create a poll, a request containing gif URL or image ID will be sent, poll_question_data[options][][associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in the poll,” said Darabi.

Darabi reported the bug to Facebook, and in return, he was paid an amount of $10,000.

Facebook is not new to such bugs, in fact, an Indian web developer reported a similar bug while playing around with Graph API, that would allow anyone to delete every photo of any Facebook user without accessing victim’s account.

Another researcher discovered a critical vulnerability in Facebook that allowed him to access anyone’s account password without much hassle. In return, he was paid $15,000 by the social media giant. There are several other incidents where people submitted reports on bugs in Facebook which can be read here.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.