This Facebook Bug Allowed Anyone To Delete Your Photos

fb

How many photos do you have on Facebook? How many of those are photos you never thought to back up?

This just-disclosed Facebook bug would have allowed for anyone with a bit of technical know-how to delete any photo on Facebook.

Fortunately, the guy who discovered the bug (Laxman Muthiyah of India) was quick to give Facebook a heads up — and for his troubles, he got a $12,500 bounty. (Sure, the bug could have pretty easily done more than $12,500 worth of damage to Facebook — but that’s not quite how bug bounty projects work.)

Facebook turned around and fixed the bug in about two hours.

Laxman has a breakdown of how it all works here, but here’s the short version: Facebook’s Graph API wasn’t checking permissions properly. If you sent a request to the Graph API to delete another user’s photo album and toss your own Facebook for Android token as the required stamp of approval, it’d blindly accept it and the album would vanish.

On the attacker’s end, the album delete command would have looked something like this:

Request :-
DELETE /[Victim’s_photo_album_id] HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=[Your(Attacker)_Facebook_for_Android_Access_Token]

On the victim’s end, the photo album would have just… disappeared.

It’s a rather simple bug, really — one of those things that you’d just never expect to actually work.

But it did — and it could have had pretty nasty consequences. As Sophos security points out, Facebook photo albums are identified and stored with simple, sequential numbers. If someone were to have popped this thing on a server and scripted up a basic number incrementer to blindly dig up albums, the attacker likely could have deleted a lot of photos before Facebook was any the wiser.

Update: A rep at Facebook tells us it wouldn’t have been quite so easy to delete en masse:

We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album’s privacy settings. We’d like to thank the researcher who reported the issue to us through our bug bounty program

Let it be a gentle reminder: Facebook isn’t a backup drive. While your photos hopefully won’t vanish without warning, Facebook’s code isn’t infallible. Back up the stuff you love.