This is how i was able to See and Delete your Private Facebook Portal photos

About Facebook Portal

Facebook Portal is a multi functional app mainly designed for Portal devices which helps to make calls, create/share albums and photos to connected Portal devices, although it works without a Portal device too.


This bug could have allowed a malicious user to view and delete a targeted photo on Facebook Portal app without having access of victim’s login credentials or album ownership


Private photos of users could be read and deleted improperly, a malicious user could have been able to permanently remove/delete user’s photos from their secret albums, add photos to malicious album and regenerate a valid CDN url of photos.


One day i was using my android smartphone while enjoying my tea, while scrolling Facebook homepage i saw an ad of “Facebook Portal video calling devices” just after seeing the ad i became very curious to explore it more.

Repro Steps

Created two Portal users UserA and UserB, where UserA is Victim and UserB is Malicious User or Attacker.

UserA Steps

  • Clicked on upload button, selected an image and clicked on “Add 1 Photo”.
  • Clicked on “New Album” to upload that selected image in newly created album.
  • Just after uploading the image i got the details of uploaded media in request response like Media ID, CDN Url, etc.
  • Copied that Media ID from response to test it further.

UserB Steps

  • Did everything same as UserA but this time i noticed something new.
  • While checking all the requests in HttpCanary, I’ve found this endpoint which creates the Album, but most importantly some of the parameters were empty, Mainly “album_media_ids” was empty.
  • I was curious to know what will happen if i append/add UserA’s Media ID in this empty array/list.
  • I immediately replaced [] with [“135XXXXXXXXXX39”] where 135XXXXXXXXXX39 was UserA’s Media ID and sent the request.
  • Well it didn’t gave me any error like “You are not allowed to perform this action” or “You are not allowed to access/upload this media” instead gave a valid response with media CDN url just because it was not verifying the Owner ID of that particular Media in backed, due to this misconfiguration it was vulnerable to an IDOR attack.
  • When i opened UserB’s Facebook Portal app, saw that UserA’s Photo has been added in newly created album.
  • Well now i decided to delete the Photo from UserB’s newly created album to see what will happen in UserA’s account.
  • I immediately deleted that photo from UserB’s album and checked UserA’s account.
  • Well! Well! Well, The photo was deleted from UserA’s album too.
  • I stopped the testing process and made the vulnerability report to Facebook WhiteHat program.


The “cover_photo_id” json parameter was also vulnerable along with “album_media_ids”


16 Sept 2021 — Initial Report



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store