Facebook Bug Let Security Researcher Delete Anyone’s Photos

Security researcher and white hat hacker Laxman Muthiyah recently discovered a serious vulnerability in Facebook that would have allowed a malicious user to delete anyone’s public photos with just a few lines of code. Using Facebook’s Graph API, Muthiyah was able to trick the social network into believing that he owned the photos, allowing him to delete entire albums at a time. Fortunately, Muthiyah immediately reported the bug to Facebook, the bug was fixed, and Facebook paid Muthiyah $12,500 as part of the company’s bug bounty program

How to Delete Anyone’s Photos on Facebook

Facebook Bug Let Security Researcher Delete Anyone's PhotosIt seems like figuring out the vulnerability in question wasn’t even that difficult. At first, Muthiyah tried to delete one of his own photo albums using his Graph Explorer access token. However, upon making the API call, he received the following error message:

{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException", "code":200}}

But while that application does not have the capability to make the API call, the error message “tells us that some other application does have the capability,” says Muthiyah. He then tried a mobile access token and a photo album ID:

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 

Content-Length: 245

Response :-

And the album got deleted. He then tried using another account’s album ID, and that album also got deleted.

“OMG 😀 the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) 😛 lol :D”
Essentially, four key lines of code with a victim’s album ID and a mobile access token were all it took to delete absolutely anyone’s photos on Facebook.

Good Guy Laxman Muthiyah

With knowledge of such a critical vulnerability, Muthiyah could have caused Facebook a lot of headache. He could have pulled off a Lizard Squad-style attack, arbitrarily deleting photos left and right. He could have also sold the bug for a lot more than the $12,500 he received from Facebook’s bug bounty program. But in the end, Muthiyah decided to do the right thing and report the vulnerability to Facebook.

“They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.”

The bug has been fixed and, at least for now, your Facebook photos are safe.

Images from Shutterstock.

I've always been interested in the latest stuff in science and technology, and I'm currently a freshman undergraduate electrical engineering student at the University of Texas at Austin.