Industry News

How billions of Facebook photos could have been deleted in an instant, due to software vulnerability

Hundreds of millions of photographs are uploaded to Facebook every day – can you imagine if many of them were deleted in the blink of an eye?

We have security researcher Laxman Muthiyah to thank for not abusing his ability to delete billions of images, when he stumbled across a serious vulnerability in Facebook’s Graph API last week.

The Graph API is the primary way that Facebook apps access and post information to your account on the world’s most popular social network, but there are supposed to be restrictions on just how much it should be capable of doing.

For instance, the Graph API isn’t supposed to allow app developers to delete public Facebook photo albums (including cover photos).

Sure enough, when Mutiyah tried to delete one of his own photo albums using the API his request was refused.

cant-delete

So far, so good.

Most Graph API requests require the use of access tokens which apps can generate by implementing what’s known as Facebook Login. Even though Mutiyah had an access token, Facebook rightly refused to allow the deletion of his photo album.

But then the researcher tried something different. He tried the same request, but this time using an access token used by Facebook’s mobile Android application.

delete

This time, to Mutiyah’s surprise, the API’s response to his request the deletion of the photo album was successful, returning the value “true”.

For the security researcher, the next thing to try was obvious. What would happen if he sent the album ID of a victim’s photo album rather than his own? You can probably guess…

OMG :D the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) :P lol :D

album-unavailable

A YouTube video, made by Laxman Muthiyah, demonstrates the vulnerability in action.

Fortunately, Mutiyah decided to immediately report the bug to Facebook’s security team. They were commendably fast in responding to the issue, and had a fix in place in less than two hours.

For his efforts, Mutiyah has been told by Facebook’s security team that he is in line for a $12,500 bug bounty.

Yes, it’s good that Facebook responded quickly to the report of the vulnerability – but the fact of that matter is that such a serious bug shouldn’t have been there in the first place. It’s an indication of the lack of proper testing that one of the world’s biggest websites was running so fast and loose with its users data – opening up opportunities for the destruction of photo albums and people’s precious memories.

One wonders what other bugs remain on the site, as yet uncovered…

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “One wonders what other bugs remain on the site, as yet uncovered…”

    I don’t know but if I were to ever use it I would hope I’d find one that would make everyone delete their account. Okay, maybe not – it keeps them away from those uninterested and simultaneously allows them to be with those who like it (whether family, friends, it really doesn’t matter their reasons). As for this researcher, while I certainly won’t claim this, the cynic in me also thinks on this:

    “For his efforts, Mutiyah has been told by Facebook’s security team that he is in line for a $12,500 bug bounty.”

    that:
    1. he was already doing the research and he would have likely done it anyway (something about research that is more than monetary gain – a passion, perhaps).
    2. he didn’t actually follow through with the act because he was in line for the money (and guessed it before hand).

    Ironically some might think the two contradict each other, and while they might in some ways, they don’t in full. Still, yes it is probably (read: definitely) best he didn’t follow through. Would however find out if facebook backs up and how good their backup plan is. But I can imagine it would really anger a lot of people (especially those who use it as their backup (they don’t deserve it but they’re asking for a world of hurt))… As much as I am averse to facebook, I’m glad he was ethical about it… and hopefully he does get the bounty. Certainly his character is worthy of it.