Facebook Vulnerability Could Allow Hackers to Delete Your Photo Albums

An Indian security researcher recently discovered a startling vulnerability in Facebook, perhaps the most widely used social media platform in the world. This vulnerability allows a hacker to modify the access token typically required by Facebook’s Graph API mechanism – the API responsible for uploading, deleting, and maintaining all photos on all Facebook accounts (both public and private). The researcher who discovered the bug, Laxman Muthiyah, realized that the Graph API corresponded directly to the “Delete Album” button found during a legitimate user session and by using his own access token via Facebook for Android, Muthiyah was able to change the parameters of a simple HTTP request to delete the photos from any Facebook account.

In fact, some security experts believe that this exploit could have been used to delete every photo currently stored on Facebook’s servers – a catastrophe for the company and those who use the service to say the least. The vulnerability works on any user currently logged in via the mobile version of Graph API as Facebook is unable to detect the difference between one mobile access token and another. In other words, if a mobile access token is valid, it is valid for all active mobile users and all a hacker would need to do to delete someone else’s photos would be to change the HTTP request to contain the victim’s photo album ID. Below is an example of what this fraudulent request looks like:

Request :-
Host : graph.facebook.com
Content-Length: 245

It really is that simple, but fortunately this security researcher did the right thing and reported the bug to Facebook before making it public. It was such a serious bug that Facebook responded in just two hours confirming the problem and acknowledging that the issue has already been fixed.

The Facebook bug bounty program also rewarded Muthiyah with a generous $12,500 reward for discovering and reporting the bug that could have had a devastating effect on the popular social media platform.

In a statement issued by Facebook, the company stated "We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims," said a Facebook representative. "We’d like to thank the researcher who reported the issue to us through our bug bounty program."

facebook graph api vulnerability

While this issue was quickly resolved and no apparent harm was done, it proves how such a simple bug could create utter havoc in a matter of minutes in the hands of cybercriminals who could have used this vulnerability to extort people or simply disrupt the social network by deleting massive amounts of photos in a very short period of time.

Although there is no longer a need to protect yourself from this threat, it should serve as a reminder that important photos, documents, and other personal files should be backed up redundantly whenever possible.

Many people use Facebook Photo Albums as a sort of cloud-storage solution for these images and had this vulnerability been discovered by the wrong people, it could have meant millions of pictures would disappear without any way to recover them. Always consider storing important files in more than one place to avoid losing them through no fault of your own.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal