How a bug almost ate all of your Facebook photos

A researcher found out how to delete anyone's Facebook pictures but rather than do it, reported the flaw to the company, which patched it and gave him a reward.

A researcher found out how to delete anyone's Facebook pictures but rather than do it, reported the flaw to the company, which patched it and gave him a reward.

Laxman Muthiyah, a Web developer at the Indian movie site Behindwoods, says he used Facebook's mobile-access client and a developer's API to eliminate sample albums.

When he told Facebook about it Tuesday, they fixed the problem in about two hours, he says, and told him he was eligible to collect a $12,500 bug bounty.

"Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing," says Mark Stockley, a Web consultant writing in the nakedsecurity blog.

By Muthiyah's own account the hack was fairly simple, requiring just four lines of code.

He says he was playing around with Graph API, a feature of Facebook applications that allow developers to read and write user data. According to developers' documentation, it can't be used to delete albums, but he tried anyway and sure enough it didn't work.

The attempt returned the error message:

Response :-

{"error":{"message":"(#200)  Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

That led him to think that while the application didn't have the capability to make the API call, some other application might. So he authenticated using his Android access token with the Facebook for mobile app, which it also uses Graph API and has a delete option. He tried it with this code:

DELETE /<Victim's_photo_album_id> HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

And it worked.

"OMG :D the album got deleted!" he writes. "So I got the key to delete all of your Facebook photos :P lol :D"

Facebook messaged him that they'd received his notification of the flaw Feb. 10 and within 12 hours had awarded him the bounty.

Actually wiping out all of Facebook's photo albums with Muthiyah would have required a lot of work, says Stockley. "In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm," he writes, "and even if it doesn't, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.

"But that's just a question of horsepower, and horsepower is easy on the internet - there are kids running botnets of 60,000 computers."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFacebook

More about Facebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

More videos

Blog Posts