An Indian security researcher recently discovered a startling vulnerability in Facebook, perhaps the most widely used social media platform in the world. This vulnerability allows a hacker to modify the access token typically required by Facebook’s Graph API mechanism – the API responsible for uploading, deleting, and maintaining all photos on all Facebook accounts (both public and private). The researcher who discovered the bug, Laxman Muthiyah, realized that the Graph API corresponded directly to the “Delete Album” button found during a legitimate user session and by using his own access token via Facebook for Android, Muthiyah was able to change the parameters of a simple HTTP request to delete the photos from any Facebook account.
In fact, some security experts believe that this exploit could have been used to delete every photo currently stored on Facebook’s servers – a catastrophe for the company and those who use the service to say the least. The vulnerability works on any user currently logged in via the mobile version of Graph API as Facebook is unable to detect the difference between one mobile access token and another. In other words, if a mobile access token is valid, it is valid for all active mobile users and all a hacker would need to do to delete someone else’s photos would be to change the HTTP request to contain the victim’s photo album ID. Below is an example of what this fraudulent request looks like:
DELETE / HTTP/1.1
Host : graph.facebook.com
It really is that simple, but fortunately this security researcher did the right thing and reported the bug to Facebook before making it public. It was such a serious bug that Facebook responded in just two hours confirming the problem and acknowledging that the issue has already been fixed.
The Facebook bug bounty program also rewarded Muthiyah with a generous $12,500 reward for discovering and reporting the bug that could have had a devastating effect on the popular social media platform.
In a statement issued by Facebook, the company stated "We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims," said a Facebook representative. "We’d like to thank the researcher who reported the issue to us through our bug bounty program."
While this issue was quickly resolved and no apparent harm was done, it proves how such a simple bug could create utter havoc in a matter of minutes in the hands of cybercriminals who could have used this vulnerability to extort people or simply disrupt the social network by deleting massive amounts of photos in a very short period of time.
Although there is no longer a need to protect yourself from this threat, it should serve as a reminder that important photos, documents, and other personal files should be backed up redundantly whenever possible.
Many people use Facebook Photo Albums as a sort of cloud-storage solution for these images and had this vulnerability been discovered by the wrong people, it could have meant millions of pictures would disappear without any way to recover them. Always consider storing important files in more than one place to avoid losing them through no fault of your own.