A design flaw in recent Facebook update FB5, let malicious users remove the profile pictures of other users and set back to the default Facebook profile picture.

The vulnerability was discovered by a security researcher Philippe Harewood who had early access to FB5. Earlier Zuckerberg said FB5 to bring the biggest change to the Facebook app and website.

With FB5 Facebook used “GraphQL” an open-source API query language to remove the profile picture from the Facebook fan page. GraphQL was used by Facebook mobile apps since 2012.

Harewood explains that the profile_picture_remove mutator is the graphical call responsible for showing specific mutation.

“Normally, the mutation accepts a page identifier in the profile_id field for a Facebook page. Changing the identifier for any user profile allowed a malicious user to dissociate the user’s profile picture.”

Proof-of -Concept

Hereby changing the identifier value would result in removing the current profile picture and replace that with a default profile picture. But the image remains with the Facebook account and users can change at any time.

POST /graphql?access_token=EAA…ZDZD HTTP/1.1
Host: graph.facebook.com

q=Mutation a:b {profile_picture_remove(){client_mutation_id}}

The issue was reported by the researcher to Facebook and the vulnerability has been fixed. Facebook awarded $2500 as a Bounty. Recently Facebook sued, two App Developers for Click Injection Fraud Using Facebook Ads

Sponsored: Best Practices to Strengthen Cyber Security – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.