This is a quick post about a simple bug I found on Friendship Pages on Facebook. (Note: Not nearly as cool as a full account takeover, however!)
Friendship Pages show you how two users on Facebook are connected, with posts and photos they’re both tagged in, events they’ve both attended and common friends. On these pages, you’re given the option to upload a cover photo (like you would on your profile, or an event).
Removing A Cover
The cover photo on someones friendship page, we can remove from any account.
First, we need the friendship_id, which can be obtained with an AJAX call to /ajax/timeline/friendship_cover/selector, where profile_id is one user and friend_id is another.
Using this friendship_id we make an AJAX call to /ajax/timeline/friendship_cover/remove, placing the value into the profile_id parameter.
Refresh the page, and it’s disappeared.
Fix
Now, you can only remove your own cover.
Timeline
- 29th August 2013 - Reported
- 2nd September 2013 - Acknowledgment of Report
- 2nd September 2013 - Issue Fixed