Facebook Bug Let Security Researcher Delete Anyone’s Photos
Security researcher and white hat hacker Laxman Muthiyah recently discovered a serious vulnerability in Facebook that would have allowed a malicious user to delete anyone’s public photos with just a few lines of code. Using Facebook’s Graph API, Muthiyah was able to trick the social network into believing that he owned the photos, allowing him to delete entire albums at a time. Fortunately, Muthiyah immediately reported the bug to Facebook, the bug was fixed, and Facebook paid Muthiyah $12,500 as part of the company’s bug bounty program.
How to Delete Anyone’s Photos on Facebook
It seems like figuring out the vulnerability in question wasn’t even that difficult. At first, Muthiyah tried to delete one of his own photo albums using his Graph Explorer access token. However, upon making the API call, he received the following error message:
{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException", "code":200}}
But while that application does not have the capability to make the API call, the error message “tells us that some other application does have the capability,” says Muthiyah. He then tried a mobile access token and a photo album ID:
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response :-
true
And the album got deleted. He then tried using another account’s album ID, and that album also got deleted.
“OMG 😀 the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) 😛 lol :D”
Good Guy Laxman Muthiyah
With knowledge of such a critical vulnerability, Muthiyah could have caused Facebook a lot of headache. He could have pulled off a Lizard Squad-style attack, arbitrarily deleting photos left and right. He could have also sold the bug for a lot more than the $12,500 he received from Facebook’s bug bounty program. But in the end, Muthiyah decided to do the right thing and report the vulnerability to Facebook.
“They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.”
The bug has been fixed and, at least for now, your Facebook photos are safe.
Images from Shutterstock.