Discovered by an Iranian web developer, Pouya Darabi earlier this month, the vulnerability resides in Facebook’s new Poll feature. He quickly reported the bug to Facebook on November 3, which was patched by them on November 5. Darabi in return received a $10,000 bounty from Facebook for preventing potential damage to both users as well as the social media giant’s reputation in general. Earlier this month, Facebook had launched a new Poll feature for posting polls that include images and GIF animations. In this feature, users can ask a question and then add two images that their friends and followers can choose from. When the user creates a poll, the ID number of the images used is sent along. According to Darabi, he analyzed the traffic and found that when the user created a survey, a request was sent to the Facebook servers, including the file IDs of the images or gif URL attached to the polling, which anyone could easily replace the image ID in the request with the ID of any photo on Facebook and that photo would appear in the poll.
“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][][associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in poll.” Apparently, if the poll creator deletes his own poll, the image included (the one taken from someone else’s page) was completely deleted from Facebook—and not just from the poll. This isn’t the first time when Darabi has received a reward from Facebook. In 2015, the company paid him $15,000 bug bounty for avoiding the system of protection against cross-site request forgery (CSRF). In 2016, he earned another $ 7,500 dollars for finding a similar problem. Source: The Hacker News