Sometimes in bug hunting, you find vulnerabilities that require hours of digging, complex payloads, and deep technical skills. And sometimes… you just change a single value, click send, and boom — someone else's picture is gone.
This is the story of a bug that allowed me to remove other users' profile images and team logos with just a few easy steps.
Note: We've just crossed 500+ followers — yay! 🎉 Thank you all!
I've written 10 blogs (or you could say, documented 10 different bugs) that didn't require any tools to find — just pure manual testing.This blog, however, is not part of that series. It involves using tools, but I bet you'll still find it unique, simple, and impactful.
Hope you enjoy it! You can check out the full series here: LINK
My Twitter account — StrangeRwhite9 I newly created it!
📌 How the Website Worked
The Image Upload Feature
Most modern web applications include image upload functionality for user profiles, team logos, or content sharing. These features typically follow this pattern:
- User uploads an image
- System processes and stores the image
- System generates a unique identifier for the image
- Once uploaded, the image became publicly accessible through a URL like this:
https://example.com/upload/99b3846c-2584-1368-baI4-8ra00p78628Everything seemed normal — until I decided to take a closer look at what was happening behind the scenes.
🕵️♂️ Digging Into the Upload Process
When I uploaded my own logo, my browser sent a request to the server that looked like this:
"logo": {
"logo": "/static/upload/userupload/39b6166c-25f4-4378-aaf4-8ee00a66366a"
}The important part is the image ID in the URL:
39b6166c-25f4-4378-aaf4-8ee00a66366aThis ID was unique to my uploaded image. But then I had a thought:
"What happens if I replace this ID with someone else's image ID?"
The Exploitation Process
The vulnerability becomes exploitable when an attacker:
- Intercepts the upload request using tools like Burp Suite
- Modifies the image ID parameter to reference another user's image
- Submits the modified request
For example, changing:
{"logo": "/static/upload/userupload/39b6166c-25f4-4378-aaf4-8ee00a66366a"}
TO:
{"logo": "/static/upload/userupload/99b3846c-2584-1368-baI4-8ra00p78628"}Step-by-Step of What Happened
- I change my image ID to User2's image ID in the upload request → My profile now shows their picture.
- At this point:
- My profile and User2's profile are both linked to the same image ID.
- No issue yet — we're just sharing the same file on the server.
3. Now I upload a new image for my profile → The system says:
"Oh, the old image is not used anymore by User1, so I can delete it."
4. The problem→ The system looks at the old image ID (xyz123) and just deletes it — no further checking, no asking "Does anyone else still need this image?"
5. Result:
- The server deletes the file (because it thinks nobody is using it).
- User2's profile picture disappears.
💡 You might be thinking:
"Why not just use the DELETE method to remove User2's image? That would be easier!"
Well… that wasn't possible. The website didn't have any "remove image" option at all. Once an image was uploaded, you could only change it — never delete it directly.So the only request the site allowed was a POST request to upload or replace an image. And that's exactly what I abused to make the deletion happen.
Suggested Fixes
- Ownership Binding: Store user ownership info for each uploaded image and verify it before any delete/update action.
- Unique Copies: If multiple users reference the same image, create separate physical copies instead of one shared file.
- Access Control: Validate every file reference against the authenticated user's permissions.
🎯 Takeaway
This bug was simple, but the consequences were serious. It's a reminder that even the smallest security checks — like verifying file ownership — can make the difference between a secure feature and a vulnerability anyone can abuse.
Got questions? Email me: strangerwhite9@gmail.com or reach out on Twitter: @StrangeRwhite9
by StrangeRwhite