Facebook Bug Allowed Anyone To Delete Public Photos
By Paul Liu
Tuesday, July 7th, 2015
This actually happened a couple of months back, but it’s still pretty relevant…..A fatal bug was discovered within Facebook that could have disrupted the operations of the social networking site in a big way. The security flaw, which was present in the Graph API used by the social giant, was reportedly so severe that it could have allowed anyone to delete any photo album whose privacy setting was set to public. The Facebook bug was discovered by Laxman Muthiyah from India and Facebook awarded him a record $12,500 through its bug bounty program for the discovery of the bug.
As per the details published by Laxman on his blog, the Graph API didn’t check for proper permissions while processing delete requests related to public photo albums. The Graph API offers a way for developers to read and write data and is used by almost all apps that are currently available on the social site. While the Graph API usually needs an access token to work correctly and doesn’t allow deletion of photos through the graph explorer, Laxman discovered that he was able to delete photos and photo albums of other Facebook users while using the Delete Album functionality available on Facebook’s mobile app.
Since the mobile interface of Facebook allows users to delete albums with a single tap, it should have had proper checks in place to ensure that only legitimate account holders were able to perform such an action. However, this was clearly not the case since the Graph API was not authenticating the access tokens correctly. Laxman found that he could delete others’ albums just by supplying the album ID and his Facebook for Android access token (not the access token of the user whose photos were being deleted).
Since Facebook stores albums as sequential numbers in its database, the bug could have had catastrophic consequences for the social networking site. Anyone with a little technical know-how could have built a simple incremental script that could have deleted all the albums whose privacy was set to public. The worst part is Facebook wouldn’t have had a clue regarding why this is happening. This is indeed a scary scenario since there are literally billions of photos and photo albums on the site that are visible to just about anyone. So, it won’t be an exaggeration if I say that the bug could have erased a big part of Facebook in a single day.
The Facebook team swung into action as soon as Laxman reported the bug to them. As per media reports, it took Facebook engineers just a couple of hours to fix it. The discovery of the bug also has an important lesson for all Facebook users: remember to set the privacy settings of all media correctly and make sure to backup important photos and videos. A lot of people have the habit of dumping their photos on Facebook but as the discovery of the bug shows, it just takes a single flaw to wipe out years of memories. It would be incorrect to assume that there are no bugs within Facebook’s code just because it is a multi-billion dollar company and is run by some of the best technical brains in the world.
You also might like:
Watch The Last Man on Earth Online
The Last Man on Earth is a post-apocalyptic comedy TV series currently airing on the Fox …
How To Unblock CBC Player Outside Canada
CBC Player (cbc.ca/player) is your one stop destination for CBC news, entertainment programs, sporting events and …
Watch The Bastard Executioner Online
The fall TV season is here and it has brought many surprises in the form of …
How to Watch ABC’s Black-ish Outside of the US
Black-ish is a sitcom which made its debut on ABC in September’ 2014. The series focuses …
5 Tips to Keep Secure Excel Files
Microsoft Excel is the most popular spreadsheet application available today. The software was initially created for …
3 Reasons Every Small Business Should Consider a VPN
Virtual Private Networks (VPNs) offer a cost-effective way for small businesses to securely share data between …
July 7, 2015