Facebook Patches Bug that Allows Deletion of User-Posted Photos
A Facebook vulnerability that allows a malicious actor to delete any photo a user saved to the social network was discovered. A security researcher found the flaw in Facebook’s new poll feature that gives a user the capability to create two-question polls that friends and followers can vote on. The social network’s security team was alerted and provided an initial fix within 12 hours and a full fix two days later.
Iran-based security researcher and web developer Pouya Darabi was checking Facebook's new feature when he noticed the flaw. Darabi discovered he could attach an image by changing the ID numbers. This allowed him to preview pictures uploaded online by Facebook users, and add them to a poll. When he deleted that poll, the attached images were also permanently deleted from the social network.
The vulnerability is not easy to exploit because the ID numbers are not entirely sequential for the uploaded pictures. Malicious actors would have to measure their steps to hit a valid image. Hence, targeting specific photos would be difficult.
Darabi was awarded US$10,000 for discovering and reporting the security bug. This was not the first time the security researcher earned a bounty from Facebook. In 2015, he was awarded $15,000 for bypassing its cross-site request forgery (CSRF) protection systems. The following year, he received another $7,500 for a similar flaw.
The discovery of the flaw is a reminder that social networks and its users are equally vulnerable to threats. Users should be careful when navigating their social media accounts because if not for the quick fix Facebook rolled out upon the security researcher’s notification, there’s nothing they could have done to combat this vulnerability. The fix prevented exposing users' digital assets, but they should always be on the lookout for future exploits that cybercriminals may develop.
Secure Your Social Media Account
A recent study found that the average person spends approximately 116 minutes on social networks every day. Their ubiquity and the fact that social media accounts are now being linked to an increasing number of applications and accounts, social media platforms are naturally desirable targets for malicious actors.
Here are some tips for keeping your accounts secure:
- Keep your mobile apps updated. Make sure you have the latest version of the platform you’re using. Security patches protect you from threats like the abovementioned flaw.
- Close the accounts that you don’t use. Forgotten social media accounts may be compromised without being noticed. Hackers can leverage these and access other accounts linked to it, like your email.
- Check what apps are connected to your social media. Do you use Facebook or Google to sign into any other application? Assess if this type of access is necessary.
- Practice good password hygiene. Use different passwords for your social media accounts, and also make sure each password is complex and unusual. Enabling 2FA for all your accounts can prevent unauthorized parties from accessing your accounts.
- Use a unique email address for your social media accounts. If possible, create a whole new email account specifically for social media so that if you are compromised, the hackers won’t have access to any valuable information.
For enterprises, here are some tips to keep corporate social media accounts secure.
You can also secure your social media accounts with comprehensive and multilayered protection. Effective and comprehensive security solutions can help you enjoy your digital life safely. Trend Micro™ Maximum Security secures multiple devices, helps manage passwords, and guards against the most prevalent online threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases