For many of us, Facebook houses the large majority of our personal photos. And why not? It’s an easy way to share last night’s adventures, photos of growing kids and pets, or even last night’s dinner.
It’s not like Facebook would ever just delete everything without notice, right? Well, Facebook wouldn’t, but scammers recently had a chance to zap your precious selfies.
Security researcher Laxman Muthiyah detailed how he uncovered a bug that allowed him to delete any public photo on Facebook.
Lucky for you, Muthiyah immediately reported the problem to Facebook, which fixed it within hours and awarded Muthiyah a $12,500 bug bounty. But had Muthiyah been a digital trouble maker, the glitch could’ve been a lot worse.
“Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing,” Mark Stockley with Sophos wrote in a blog post. “Or he could have milked it; kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name. And of course he had the chance to make himself The Man That Wrecked Facebook if he wanted to take it. Do you think LizardSquad would have blinked before inflicting misery for the sake of self-aggrandizement?”
In a statement to Stockley, Facebook said “triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album’s privacy settings,” but thanked Muthiyah for finding the glitch.
How did he find it? Using Graph API, which, as he wrote, “is primary way for developers to read and write the users data.”
“In general Graph API requires an access token to read or write users data,” he wrote. “According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.”
But Muthiyah tried anyway, and while that failed, the error message that appeared basically told him how to get around it.
Share this Story
Everyone has a Story to Tell Register now to Write Your Story