A security researcher found a critical bug in a new Facebook feature, and got a $10,000 reward for telling the social media giant.
New features in software always bring bugs. Still, some are worse than others. When Facebook rolled out its new polling feature earlier this month, which allows people to post votable questions on anything from what to have for dinner to what dress to wear at a prom dance, it also inadvertently opened the door for hackers to delete any picture on the network.
Security researcher Pouya Darabi discovered this bug in early November. When someone created a poll, he found, it would send a request to Facebook servers that included a unique ID for the picture or GIF included. At that point, as Darabi explains in a blog post, he could replace that ID with the ID of any other picture on the network, even ones other people had uploaded.
That way, the poll he’d created would include other people’s pictures, even ones that are not set to public. Then, when he deleted his own poll, the image included (the one taken from someone else's page) was completely deleted from Facebook—and not just from the poll. It’s unclear how Darabi could obtain the ID of other people’s photos, but it’s possible that all a malicious hacker had to do was to guess a random number until he or she got an image.
Darabi posted a video showing how the bug worked:
Facebook quickly fixed the bug after Darabi reported it, according to the researcher. For his discovery, Facebook rewarded Darabi with $10,000, he said. In an email to Motherboard, Facebook confirmed the researcher's story.
Read more: The Motherboard Guide To Not Getting Hacked
This is not the first time independent security researchers have found such bugs in Facebook. In 2015, another researcher found one that allowed him to delete any picture on the site. Others have found similar bugs to delete comments and videos. All these have been fixed.
And, of course, awful bugs aren’t just on Facebook. Last month, a security researcher found that he could access a list of all Google’s bugs without any authorization, opening the door for malicious hackers to get advance notice of critical vulnerabilities on Google, which they could have used to their advantage before the bugs were fixed.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.