Facebook Inc. has patched a security vulnerability that allowed any user to access and then delete any photo uploaded by another user.

The vulnerability, discovered by security researcher Pouya Darabi, involves a coding issue in a recently release polling feature launched by the social network. Within the polling feature, users can attach photos to poll questions, doing so using HTML script that is submitted to Facebook’s servers.

That script contains an ID code for the photo, which seems innocuous enough, but Darabi found that by changing the ID code he could bring up photos from anyone on Facebook, even those users with their profiles set to private. With access to that code, any photo could be added to the poll. But the kicker here was that when the poll was deleted, so was any photo attached to it — meaning that in theory a malicious actor could access and delete any photo hosted by Facebook.

The good news is that Darabi was not a malicious actor and instead reported the issue to Facebook’s security team along with a proof of concept on Nov. 3. Darabi wrote that Facebook had triaged the issue within 12 hours, rolled out a fix two days later, then showed their gratitude by paying him $10,000 under their bug bounty program on Nov. 8.

Paul Ducklin, security researcher at Sophos Group plc, believes the vulnerability should serve as a lesson to programmers to remember to test everything. “Sometimes, ‘failing soft,’ where faulty code causes security to be reduced, is appropriate, such as automatically unlocking the fire escape doors if your security software crashes or the electrical power fails,” Ducklin wrote. “At other times, you want to ‘fail hard,’ or ‘failed closed,’ such as not accepting any authentication passwords if you think some of them have been compromised. In particular, if there are conditions in your software that the developer assures you ‘cannot happen,’ assume not only that they can but also that they surely will, and test accordingly.”

Image: Pixabay