VPN Articles and News

Facebook Bug Allowed Anyone To Delete Public Photos

Tuesday, July 7th, 2015

This actually happened a couple of months back, but it’s still pretty relevant…..A fatal bug was discovered within Facebook that could have disrupted the operations of the social networking site in a big way. The security flaw, which was present in the Graph API used by the social giant, was reportedly so severe that it could have allowed anyone to delete any photo album whose privacy setting was set to public. The Facebook bug was discovered by Laxman Muthiyah from India and Facebook awarded him a record $12,500 through its bug bounty program for the discovery of the bug.

As per the details published by Laxman on his blog, the Graph API didn’t check for proper permissions while processing delete requests related to public photo albums. The Graph API offers a way for developers to read and write data and is used by almost all apps that are currently available on the social site. While the Graph API usually needs an access token to work correctly and doesn’t allow deletion of photos through the graph explorer, Laxman discovered that he was able to delete photos and photo albums of other Facebook users while using the Delete Album functionality available on Facebook’s mobile app.

Since the mobile interface of Facebook allows users to delete albums with a single tap, it should have had proper checks in place to ensure that only legitimate account holders were able to perform such an action. However, this was clearly not the case since the Graph API was not authenticating the access tokens correctly. Laxman found that he could delete others’ albums just by supplying the album ID and his Facebook for Android access token (not the access token of the user whose photos were being deleted).

Since Facebook stores albums as sequential numbers in its database, the bug could have had catastrophic consequences for the social networking site. Anyone with a little technical know-how could have built a simple incremental script that could have deleted all the albums whose privacy was set to public. The worst part is Facebook wouldn’t have had a clue regarding why this is happening. This is indeed a scary scenario since there are literally billions of photos and photo albums on the site that are visible to just about anyone. So, it won’t be an exaggeration if I say that the bug could have erased a big part of Facebook in a single day.

The Facebook team swung into action as soon as Laxman reported the bug to them. As per media reports, it took Facebook engineers just a couple of hours to fix it. The discovery of the bug also has an important lesson for all Facebook users: remember to set the privacy settings of all media correctly and make sure to backup important photos and videos. A lot of people have the habit of dumping their photos on Facebook but as the discovery of the bug shows, it just takes a single flaw to wipe out years of memories. It would be incorrect to assume that there are no bugs within Facebook’s code just because it is a multi-billion dollar company and is run by some of the best technical brains in the world.

July 7, 2015

Leave a Reply

Your email address will not be published. Required fields are marked *

3 + 1 =