Security researcher Pouya Darabi found a dangerous vulnerability in the function of creating polls with images and GIF animations, presented to Facebook in early November this year.
When creating the survey, a request was sent to the Facebook servers, including the file IDs of the images attached to the poll. The expert noted that users can replace the image ID in the request for the ID of any photo on Facebook, after which the photo will appear in the poll. After the poll creator deletes the message, the image whose identifier was added to the query is also deleted from Facebook.
The specialist notified Facebook of the vulnerability on November 3, 2017. A temporary correction was issued the same day. November 5, 2017 the company released a full-fledged patch.
According to Darabi, for his discovery, Facebook paid $ 10,000 on a reward program for the search for vulnerabilities. This case is not the first, when Darabi received a reward from Facebook. In 2015, the company paid him $ 15,000 for circumventing the system of protection against cross-site forgery of the request. In 2016, he earned another $ 7,500 dollars for finding a similar problem.