Initially this is a different way to recreate the bug found by Mohamed A. Baset around March 2014 https://www.youtube.com/watch?v=zepq4U-ahoU https://twitter.com/symbiansymoh/status/441364355448176640. The final decision however was that behavior does not pose a significant privacy/security risk to qualify for a payout. Nevertheless I decided it was a good idea to share to possibility of recreating old bugs.
In summary he was able to use the mobile (m.facebook.com) endpoint to change a status object to a added_photos object without changing the edit history.
The risk that was associated with this I believe, was that any user who commented/liked the owner’s post will not be notified of this change and from the current timeframe be seen to be associated with interacting with a photo they didn’t initially see.
The fix in place that I’ve seen is that using the link
Will result in the post showing the edit history.
Using an API endpoint I can recreate this bug leaving no edit history.
Proof of Concept
Given a whitehat account
Two posts were created
A “I love this life.”
B “I hate this life.”
Patched Method using A
a. Using the patched bug link for post ID 1379036662420184
b. Choose a file and click upload.
The photo will be uploaded and the user will be redirected to
And the edit history is logged
Graph API Method using B
a. Obtain a Facebook Native App user access_token for the user
This could have also been done by decompiling a Facebook app, getting the client and creating signature. I prefer the API login method.
b. Upload the photo via the
/me/photos endpoint unpublished (published=false)
c. Grab the ID from the response
d. Target the POST ID 1379036692420181 as 100009415895135_1379036692420181 (B) via publishing (published=1) the unpublished photo ID
The response is true
e. Check the edits
None are shown
f. Check the activity log
Notice that the timestamp isn’t set for when the photo was added but when the user initially created the post
Thus, I believe I have successfully found a workaround to the patch placed in m.facebook.com for the bug reported in March 2014.
The fix here will be the same as the original report, ensure that edit history is shown when any new object is added.
Mar 22, 2015 8:21pm – Report Sent
Mar 24, 2015 5:42pm – Escalation by Facebook
May 19, 2015 8:37pm – Patched by Facebook
May 22, 2015 5:53pm – Facebook made the decision that this behavior does not pose a significant privacy/security risk to qualify for a payout.