How a bug almost ate all of your Facebook photos

A researcher found out how to delete anyone's Facebook pictures but rather than do it, reported the flaw to the company, which patched it and gave him a reward.

A researcher found out how to delete anyone's Facebook pictures but rather than do it, reported the flaw to the company, which patched it and gave him a reward.

Laxman Muthiyah, a Web developer at the Indian movie site Behindwoods, says he used Facebook's mobile-access client and a developer's API to eliminate sample albums.

When he told Facebook about it Tuesday, they fixed the problem in about two hours, he says, and told him he was eligible to collect a $12,500 bug bounty.

"Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing," says Mark Stockley, a Web consultant writing in the nakedsecurity blog.

By Muthiyah's own account the hack was fairly simple, requiring just four lines of code.

He says he was playing around with Graph API, a feature of Facebook applications that allow developers to read and write user data. According to developers' documentation, it can't be used to delete albums, but he tried anyway and sure enough it didn't work.

The attempt returned the error message:

Response :-

{"error":{"message":"(#200)  Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

That led him to think that while the application didn't have the capability to make the API call, some other application might. So he authenticated using his Android access token with the Facebook for mobile app, which it also uses Graph API and has a delete option. He tried it with this code:

DELETE /<Victim's_photo_album_id> HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

And it worked.

"OMG :D the album got deleted!" he writes. "So I got the key to delete all of your Facebook photos :P lol :D"

Facebook messaged him that they'd received his notification of the flaw Feb. 10 and within 12 hours had awarded him the bounty.

Actually wiping out all of Facebook's photo albums with Muthiyah would have required a lot of work, says Stockley. "In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm," he writes, "and even if it doesn't, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.

"But that's just a question of horsepower, and horsepower is easy on the internet - there are kids running botnets of 60,000 computers."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFacebook

More about Facebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place