Facebook Design Flaw Allow Hackers to Remove Any Facebook User Profile Photo
August 22, 2019 Share

Facebook Design Flaw Allow Hackers to Remove Any Facebook User Profile Photo

FB5

A design flaw in recent Facebook update FB5, let malicious users remove the profile pictures of other users and set back to the default Facebook profile picture.

The vulnerability was discovered by a security researcher Philippe Harewood who had early access to FB5. Earlier Zuckerberg said FB5 to bring the biggest change to the Facebook app and website.

With FB5 Facebook used “GraphQL” an open-source API query language to remove the profile picture from the Facebook fan page. GraphQL was used by Facebook mobile apps since 2012.

Harewood explains that the profile_picture_remove mutator is the graphical call responsible for showing specific mutation.

“Normally, the mutation accepts a page identifier in the profile_id field for a Facebook page. Changing the identifier for any user profile allowed a malicious user to dissociate the user’s profile picture.”

Hereby changing the identifier value would result in removing the current profile picture and replace that with a default profile picture. But the image remains with the Facebook account and users can change at any time.

POST /graphql?access_token=EAA…ZDZD HTTP/1.1
Host: graph.facebook.com

q=Mutation a:b {profile_picture_remove(){client_mutation_id}}
query_params={input:{profile_id:13608786,client_mutation_id:0,actor_id:113702895386410}}

The issue was reported by the researcher to Facebook and the vulnerability has been fixed. Facebook awarded $2500 as a Bounty. Recently Facebook sued, two App Developers for Click Injection Fraud Using Facebook Ads

This post Facebook Design Flaw Allow Hackers to Remove Any Facebook User Profile Photo originally appeared on GB Hackers.

Read More