Delete any
Image on Facebook
![delete any image facebook](https://www.darabi.me/cdn/2017/poll/delete_any_image.jpg)
When I was checking out facebook’s new features, I noticed that polling feature were added to the posts so I start working on it.
![POLL POLL](https://www.darabi.me/cdn/2017/poll/create_poll.jpg)
Whenever a user tries to create a poll, a request containing gif URL or image id will be sent,
poll_question_data[options][][associated_image_id] contains the uploaded image id.
![Image Image](https://www.darabi.me/cdn/2017/poll/poll_request.jpg)
When this field value changes to any other images ID, that image will be shown in poll.
After sending request with another user image ID, a poll containing that image would be created.
![]() |
Our uploaded image has been replaced by victim’s image |
At the end when we try to delete the poll, victim’s image would be deleted with it by facebook as a poll property.
![Image Image](https://www.darabi.me/cdn/2017/poll/image_deleted.jpg)
POC:
I appreciate Facebook security team for resolving this vulnerability quickly.
![](https://www.securitynewspaper.com/snews-up/2019/12/Alisa.jpg)
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.