Vulnerability Description
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP
Steps to Reproduce
1. Create an Event, right click edit and inspect element
2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event
3. To Overwrite, upload new photo then save
4. To Remove, click the "x" then save
Attacker successfully removed the cover photo without victim's knowledge
as well as overwrite the cover photo
FIX
Now, you can only overwrite/remove your own cover.
Disclosure Timeline
Jan 11, 2016 - Report Sent
Jan 13, 2016 - Escalation by Facebook
Jan 14, 2016 - Patched by Facebook
Jan 20, 2016 - Bounty Awarded by Facebook