This Facebook Bug Allowed Anyone To Delete Your Photos
How many photos do you have on the Facebook? How many of those are photos never thought to back up?
This just revealed Facebook bug would have an allowed for anyone with the bit of technical know how to delete any photo on the Facebook.
Auspiciously, the guy who discovered the bug is ‘Laxman Muthiyah’ of India was quick to give Facebook heads up and for his troubles, he got $12,500 bounty. Sure, the bug could have pretty easily done more than $12,500 worth of damage to the Facebook but that is not quite how bug bounty projects work.
Facebook turned around and fixed the bug in about 2 hours.
This Facebook Bug Allowed Anyone To Delete Your Photos
This Facebook Bug Allowed Anyone To Delete Your Photos
‘Laxman’ has a breakdown of how it all works here, but here is short version Facebook’s Graph API was not checking permissions properly. If we sent the request to Graph API to delete another users photo album and toss the own Facebook for the Android token as required stamp of approval, it had blindly accept it and album would disappear.
On the victims’ end, the photo album would have just… disappeared.
It is rather simple bug, really one of those things that you had just never expect to actually work.
But it did and it could have had pretty spiteful consequences. As Sophos security points out, Facebook photo albums are identified and stored with the simple, sequential numbers. If someone were to have popped this thing on the server and scripted up the basic number incrementer to blindly dig up albums, the attacker likely could have deleted lot of photos before Facebook was any the wiser.
Let it be the gentle reminder: Facebook isnot a backup drive. While the photos hopefully would not vanish without the warning, Facebook’s code is not perfect. Back up the stuff of love.