How billions of Facebook photos could have been deleted in an instant, due to software vulnerability

Hundreds of millions of photographs are uploaded to Facebook every day – can you imagine if many of them were deleted in the blink of an eye?

We have security researcher Laxman Muthiyah to thank for not abusing his ability to delete billions of images, when he stumbled across a serious vulnerability in Facebook’s Graph API last week.

The Graph API is the primary way that Facebook apps access and post information to your account on the world’s most popular social network, but there are supposed to be restrictions on just how much it should be capable of doing.

For instance, the Graph API isn’t supposed to allow app developers to delete public Facebook photo albums (including cover photos).

Sure enough, when Mutiyah tried to delete one of his own photo albums using the API his request was refused.

So far, so good.

Most Graph API requests require the use of access tokens which apps can generate by implementing what’s known as Facebook Login. Even though Mutiyah had an access token, Facebook rightly refused to allow the deletion of his photo album.

But then the researcher tried something different. He tried the same request, but this time using an access token used by Facebook’s mobile Android application.

This time, to Mutiyah’s surprise, the API’s response to his request the deletion of the photo album was successful, returning the value “true”.

For the security researcher, the next thing to try was obvious. What would happen if he sent the album ID of a victim’s photo album rather than his own? You can probably guess…

OMG 😀 the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) 😛 lol 😀

A YouTube video, made by Laxman Muthiyah, demonstrates the vulnerability in action.

Fortunately, Mutiyah decided to immediately report the bug to Facebook’s security team. They were commendably fast in responding to the issue, and had a fix in place in less than two hours.

For his efforts, Mutiyah has been told by Facebook’s security team that he is in line for a $12,500 bug bounty.

Yes, it’s good that Facebook responded quickly to the report of the vulnerability – but the fact of that matter is that such a serious bug shouldn’t have been there in the first place. It’s an indication of the lack of proper testing that one of the world’s biggest websites was running so fast and loose with its users data – opening up opportunities for the destruction of photo albums and people’s precious memories.

One wonders what other bugs remain on the site, as yet uncovered…