Unauthorized access to any Facebook user’s draft profile picture frames

This is being published with the permission of Facebook under the responsible disclosure policy.
Sandeep Hodkasia

Sandeep Hodkasia

October 22, 2021



Facebook allows its users to create frames for profile pictures. The users have an option to save the frames in the draft for publishing it in the future.


During the security research on facebook.com web application, it was identified that the `image_id` parameter of the POST /media_effect/swipeable_frame/image/process_background/?image_id=XXXXX HTTP request is vulnerable to Insecure Direct Object Reference. Insecure Direct Object References (IDOR) occurs when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access any resources in the system directly.

This bug could have allowed the attackers to access any draft frame using the image id in the vulnerable request. The response will disclose the CDN URL of draft frame.


Vulnerable Request:


POST /media_effect/swipeable_frame/image/process_background/?image_id=1343397992677858 HTTP/1.1
Host: www.facebook.com
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://www.facebook.com/
Cookie: XXXXXX







User A uploaded an art while creating a frame and saved the frame in the draft.
User B who is an attacker and wants to view user A’s unpublished frames.

Steps to Reproduce:


1. Log in to facebook.com as User A.

2. Go to https://www.facebook.com/frames/manage/ .

3. Click on the ‘Open frame studio’ button, upload an art in the ‘Create frame’ window, and save the frame in the draft.

3. Log in to facebook.com as User B.

4. Go to https://www.facebook.com/frames/manage/ and click on the “open frame studio” button.

5. Upload an art in the ‘create frame’ pop-up.

6. Intercept the vulnerable request in the Burp Suite.

7. Change the image_id parameter value with the user A uploaded art image id. The draft art CDN url of User A will be disclosed in the API response.

8. Copy the disclosed art CDN url and open it in the browser. The uploaded frame of User A will be displayed in the browser.


January 23, 2021: Bug reported to Facebook
February 18, 2021: Facebook team managed to reproduce the bug at their end.
March 2, 2021: Facebook team resolved the bug and requested to verify the patch.
March 3, 2021: Patch verified
June 12, 2021: Bounty awarded

Share this

AppSecure helped more than 200+ companies across the globe in protecting their customers' data and business.

Get in touch with us today

Recommended Articles


Secure Your Auth0 Authentication: Deep Dive into Auth0 Best Security Practices

Read more

Auth0 Best Security Practices by Appsecure Security | appsecure.security | Penetration Testing Company


Exploiting File Upload Vulnerabilities: Prevention Strategies

Read more

file upload vulnerability image icon

Transform your company's security landscape with our cutting-edge 2023 insights.

Enhance your security with our expertly crafted checklist by top security engineers.

Fortify your defenses with the world’s top leading cybersecurity company

Thank you!

We have received your request, We’ll get back to you in less than 24hours

Back to Home