The Facebook Bug That Could Delete All of Your Photos

Best Practices, Social Media

How many pictures do you have on your Facebook or other social media profile? Do you have multiple albums that haven’t been backed up? What would you do if someone went in and deleted all of your pictures without your knowledge or consent? What if Facebook didn’t know the reason either? Why do we exist? What is meaning?

Just kidding about those last two.

Recently, A blogger named Laxman Muthiyah discovered a bug in one of Facebook’s codes that would allow a hacker to go in and delete all of your photos. 48% of all selfies taken are stored on Facebook versus any other social network. Laxman has a breakdown of how it all works here, but here’s the short version: Facebook’s Graph API wasn’t checking permissions properly. If you sent a request to the Graph API to delete another user’s photo album and toss your own Facebook for Android token as the required stamp of approval, it’d blindly accept it and the album would vanish.

Do you store all your photos on #socialmedia? It might not be the best idea... Click To Tweet

Here is what the code looked like:

Request :-

DELETE /[Victim’s_photo_album_id] HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

access_token=[Your(Attacker)_Facebook_for_Android_Access_Token]

 

Yuck. Just by inserting the photo album’s ID number, Muthiyah was able to delete Facebook pictures that did not belong to him. On the victim’s end, the photos would have just disappeared without explanation. Thankfully, Muthiyah is a decent human being and reported the bug to Facebook and the company wrote back in just two hours, saying the bug was fixed and offering him $12,500 through Facebook’s bug bounty program.

It’s said that the bug is fairly simple and anyone that has simple technological knowledge of coding could have done the same thing. Assuming the fix was simple, altering the mobile application permissions is most likely all that was needed to be done, but it’s a reminder of how much damage even a small bug can do.

Sophos security points out, Facebook photo albums are identified and stored in sequential numbers so it is fairly easy to type in a sequence and discover someones albums. If someone were to place this code on a server and put in a basic number sequence, the attacker likely could have deleted a lot of photos before Facebook caught them, even private albums. And you thought your pictures were safe?

 

A rep at Facebook tells TechCrunch it wouldn’t have been quite so easy to delete en masse:

“We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album’s privacy settings. We’d like to thank the researcher who reported the issue to us through our bug bounty program.”

 

Don’t be naive when it comes to backing up your information and photos. Facebook and other social networking sites are not backup servers and their code is not infallible. Look how easy it was for someone with simple technical knowledge to find a bug in Facebook’s code giving them the ability to take down anyones personal pictures.

There are a few places that you can save your pictures so they aren’t just stored on Facebook. All of these companies save your pictures on what is called “The Cloud.” Did you know Dropbox alone has 50 million users? The cloud involves deploying groups of remote servers and software networks that allow centralized data storage and online access to computer services or resources. Take a look at some cloud storage services: Dropbox, Flickr, Google Cloud and Box.com.

 

Here is how Muthiyah did it:

 

Author