Flaw in New Facebook Design Allowed Removal of Profile Photos

A security vulnerability in the Facebook design (FB5) could have allowed attackers to remove any photo from profiles of the users.

The security expert Philippe Harewood is one of the security researchers that received early access by Facebook to the new FB5 design and discovered an important design flaw.

Harewood explained that the issue affects the GraphQL that is a feature implemented in the new design to remove profile pictures from Facebook fan pages. The design vulnerability could be abused by attackers to delete photos from the profiles of the users.

“The profile_picture_remove mutator is the name of the GraphQL call for this specific mutation. Normally, the mutation accepts a page identifier in the profile_id field for a Facebook page. Changing the identifier for any user profile allowed a malicious user to dissociate the user’s profile picture.” reads a blog post published by Harewood.

The researcher also published a proof-of-concept (PoC) code that allowed him to remove the profile photo from any targeted user’s account.

Harewood pointed out that the original photo removed exploiting the flaw was still available, this means that a user is able to set the profile picture back to the original in an easy way.

Facebook acknowledged the vulnerability and awarded the researcher a $2,500 as part of its bug bounty program.

“We recently ran a similar program where we granted a select group of researchers early access to FB5, the new design for Facebook we announced at our F8 conference. One of these researchers, Philippe Harewood, identified a bug in the new interface that could have allowed someone to remove another person’s profile photo. If this bug was exploited, a person’s profile photo would appear blank.” reads a post published by Facebook. “However, the photo would still be saved in the person’s account and available to upload. We thank Philippe for sharing this bug so we could fix it before FB5 rolls out worldwide. You can read more about his finding here.”

Facebook also announced that it is expanding its Data Abuse Bounty program to include Instagram. The social network giant will launch an invitation-only bug bounty program for the Checkout feature implemented in Instagram.

Checkout on Instagram allows people to purchase products directly on Instagram without leaving the app. To continue to ensure this feature’s security as we expand globally, we’ve invited a select group of security researchers to stress test it.” concludes Facebook.

“We are exploring other opportunities to tap into the expertise of researchers who consistently submit high-quality research to our bug bounty program and invite them to test new features prior to launch.”

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase