Monday, February 8, 2016

Overwriting/Removing Cover Photos on Facebook Event Pages

This blog post is about an Insecure Direct Object Reference vulnerability in Facebook Events which an attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. 
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP

Steps to Reproduce

1. Create an Event, right click edit and inspect element

2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event

3. To Overwrite, upload new photo then save
4. To Remove, click the "x" then save

Attacker successfully removed the cover photo without victim's knowledge 

as well as overwrite the cover photo 


Now, you can only overwrite/remove your own cover.

Disclosure Timeline

Jan 11, 2016 - Report Sent
Jan 13, 2016 - Escalation by Facebook
Jan 14, 2016 - Patched by Facebook
Jan 20, 2016 - Bounty Awarded by Facebook


  1. congrats sir, 5 years na kayo nasa whitehat list haha

  2. Congrats po at salamat sa pag share! :-) isa kang alamat!

  3. Imba ka gudman Mr. Roy Totdoe daw kami didi mga taga Calbayog Samar hehe God Bless po

  4. Appaustic is an app development company helping start ups, enterprises in effective interaction with their clients. We are developing smart apps for iOS and Android. We have experts for facebook app development too.

  5. I really enjoyed this posting in which you share a valuable post. Thanks for sharing it.
    Facebook app development company

  6. Do you need free Twitter Followers?
    Did you know you can get them AUTOMATICALLY & ABSOLUTELY FOR FREE by getting an account on Like 4 Like?

  7. This comment has been removed by the author.

  8. This comment has been removed by the author.

  9. Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information..

    rpa training in Chennai | best rpa training in chennai

    rpa training in pune

    rpa online training | rpa training in bangalore

  10. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging.
    Data Science training in Chennai | Data science training in bangalore
    Data science training in pune| Data science online training
    Python training in Kalyan nagar

  11. You’ve written a really great article here. Your writing style makes this material easy to understand.. I agree with some of the many points you have made. Thank you for this is real thought-provoking content
    java training in jayanagar | java training in electronic city

    java training in chennai | java training in USA

  12. Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.
    python training in velachery
    python training institute in chennai

  13. This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 

    best rpa training in chennai | rpa online training |
    rpa training in chennai |
    rpa training in bangalore
    rpa training in pune

  14. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    Devops training in sholinganallur
    Devops training in velachery
    Devops training in annanagar
    Devops training in tambaram

  15. The blog you had post is verymuch useful for us to know about the Web designing. thanks for your information sharing with us.
    Web Designing Institute in Coimbatore
    Web Designing Course
    Web Design Classes
    Website Design Course
    Learning Web Design

  16. Your information's are very much helpful for me to clarify my doubts.
    keep update more information's in future.
    Java Institutes in bangalore
    Java Institute in T nagar
    Java Training in Sholinganallur