How I Can Still See Your Image on Facebook After You Deleted It | Meta | BugBounty | 2024

Introduction

Hey folks, I’m Prathap, and I’m here to share one of the wired Vulnerability I’ve found in Meta’s product, Facebook. In today’s digital age, user privacy is paramount.Platforms like Facebook, which manage a lot of personal data, are responsible for ensuring that users’ information is protected and deleted upon request. However, a recent discovery highlights a significant flaw in Facebook’s media deletion process, raising concerns about user privacy and data retention practices.

The Vulnerability

Scenario Overview

The vulnerability involves Facebook’s “Featured” section, where users can display selected photos. The issue occurs when UserOne uploads a photo and UserTwo adds the same photo to their “Featured” section using an IDOR (Insecure Direct Object Reference) vulnerability in the media ID. Even if UserOne deletes the photo, it remains accessible in UserTwo’s “Featured” section, posing a significant privacy risk.

There’s also a logical flaw: if UserTwo creates their account today and adds the image, the vulnerability displays the upload date as 6 years ago in the featured session.

UserTwo Account Created Date

It shows as 6yrs

Deletion Behavior: When UserOne deletes their photo, it remains accessible through UserTwo’s “Featured” section using the same media_id. This indicates a more significant issue with media retention, not just a delay in CDN cache clearance.

Step-by-Step Reproduction:

1. UserOne uploads a photo.
2. UserTwo captures the request in Burp Suite when navigating to Facebook profile page: Edit Featured > Edit featured collection > Add More > Select photo > Save.
3. UserTwo changes the {"media_card_id":"122xxxxxxxxxx50554"} parameter from UserOne’s photo media ID: 204xxxxxxxxxx401
4. UserTwo sends the modified request.
5. Now, in UserTwo’s featured section, the original photo of UserOne is displayed with Same Id.

Proof of Concept (POC)

• UserOne’s CDN Link:

https://scontent.fmaa2-1.fna.fbcdn.net/v/t39.30808-6/435092106_2219004331764696_1352993520232648360_n.jpg?_nc_cat=101&ccb=1-7&_nc_sid=5f2048&_nc_ohc=q_4lK3dFWoEAb69PYV0&_nc_ht=scontent.fmaa2-1.fna&oh=00_AfCH9QdbI8EYOrgtjrt6qB8O3QmylGusdGI-oA2OPvVkDg&oe=66209539

• UserTwo’s Featured Section CDN Link:

https://scontent.fixm4-1.fna.fbcdn.net/v/t39.30808-6/435092106_2219004331764696_1352993520232648360_n.jpg?_nc_cat=101&ccb=1-7&_nc_sid=5f2048&_nc_ohc=id99glADTWMAb7VeW-J&_nc_ht=scontent.fixm4-1.fna&oh=00_AfBebu_MXh6B5yhLOsyfKP_1ZzFhOU1bfVHvDmdtHyy8WA&oe=6626F479

VIDEO POC :

Technical Analysis

Understanding CDN and Media Deletion

CDNs (Content Delivery Networks) are designed to deliver content quickly by caching copies of data in multiple locations around the world. This setup is excellent for performance but poses challenges for data deletion. When a user deletes a photo, the CDN should ideally purge all cached copies. However, as seen in this vulnerability, the same media_id allows the photo to persist in another user's featured section, bypassing the intended deletion.

The Role of Media IDs

The media_id is a unique identifier for media files uploaded to Facebook. When UserTwo uses the same media_id to feature UserOne's photo, it essentially points to the same resource on Facebook's servers. This shared media_id is the crux of the issue, as it ties the media file to both users, even after deletion by the original uploader.

Privacy Implications

This behavior raises serious concerns about the effectiveness of Facebook’s media deletion process. If deleted media can still be accessed and utilized by others, Then What is the purpose of delteding the media in facebook ?

it undermines the very purpose of deletion. Users expect their data to be removed permanently when they choose to delete it, ensuring their privacy and control over their personal information.

Facebook’s Response

After 25 responses and discussions, Facebook eventually closed the issue as “informative.”

There is no need to be Upset!

Meta Responce:

“Due to how the internet operates, it is not always possible to retroactively prevent a person from accessing a photo after it has been delivered to their device. It might have been saved locally, stored in their browser cache, or temporarily cached in a nearby Content Delivery Network (CDN). These factors prevent us from retroactively restricting access to this data. We make a best effort to achieve this, but it is not foolproof.”

While this response addresses some aspects of the problem, it does not fully resolve the core issue of deleted media remaining accessible through Facebook’s own CDN links.

Conclusion

The persistence of deleted media on Facebook’s CDN, accessible through the same media_id under another user's "Featured" section, poses a significant privacy and security risk. This issue highlights the need for more robust mechanisms to ensure that deleted content is truly removed from all aspects of the platform, including CDN caches.

As users, we entrust platforms like Facebook with our personal data, expecting them to uphold their promise of privacy and security. It is crucial for Facebook to address this flaw to maintain user trust and protect personal information effectively.

Have you encountered similar issues on social media platforms? Share your thoughts and experiences in the comments below.

Thanks for spending your valuable time.

Have a wonderful day ;) Happy learning…!

Connect Me With LinkedIn Instagram Twitter.