How a bug almost ate all of your Facebook photos

Researcher reports he can delete photos from anybody’s account, Facebook patches flaw, he collects $12,500 bounty

A researcher found out how to delete anyone’s Facebook pictures but rather than do it, reported the flaw to the company, which patched it and gave him a reward.

Laxman Muthiyah Facebook

Laxman Muthiyah

Laxman Muthiyah, a Web developer at the Indian movie site Behindwoods, says he used Facebook’s mobile-access client and a developer’s API to eliminate sample albums.

When he told Facebook about it Tuesday, they fixed the problem in about two hours, he says, and told him he was eligible to collect a $12,500 bug bounty.

“Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing,” says Mark Stockley, a Web consultant writing in the nakedsecurity blog.

By Muthiyah’s own account the hack was fairly simple, requiring just four lines of code.

He says he was playing around with Graph API, a feature of Facebook applications that allow developers to read and write user data. According to developers’ documentation, it can’t be used to delete albums, but he tried anyway and sure enough it didn’t work.

The attempt returned the error message:

Response :-

{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

That led him to think that while the application didn’t have the capability to make the API call, some other application might. So he authenticated using his Android access token with the Facebook for mobile app, which it also uses Graph API and has a delete option. He tried it with this code:

DELETE /<Victim's_photo_album_id> HTTP/1.1

Host : 

Content-Length: 245


And it worked.

“OMG :D the album got deleted!” he writes. “So I got the key to delete all of your Facebook photos :P lol :D”

Facebook messaged him that they’d received his notification of the flaw Feb. 10 and within 12 hours had awarded him the bounty.

Actually wiping out all of Facebook’s photo albums with Muthiyah would have required a lot of work, says Stockley. “In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm,” he writes, “and even if it doesn't, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.

“But that's just a question of horsepower, and horsepower is easy on the internet - there are kids running botnets of 60,000 computers.”

This story, "How a bug almost ate all of your Facebook photos" was originally published by Network World.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon