We probably had never clicked so many pictures, if there was no Facebook. Uploading those pictures to your Facebook profile (even if privately) means a sense of safe storage for most people, which can be downloaded any time again. But, what if you go back and see no pictures there?
On Thursday, a software engineer Laxman Muthiyah discovered a vulnerability which allowed anyone to delete any photo album by any user on Facebook. “Any photo album owned by an user or a page or a group could be deleted,” said Muthiyah, though he clarified later “photos which are public or the photos I could see,” implying private photos as well if the attacker had permission to view the album. Security firm Sophos adds, “So long as [Muthiyah] had the photo album ID and permission to view the album he could delete it… Facebook album IDs are numeric, which means that guessing them is easy – you start with 1 and just keep going up.
This was essentially a Graph API flaw in Facebook Android app which potentially allowed a target album to be deleted with its numbered ID. Facebook was quick to response on the reported vulnerability by Muthiyah and offered him $12,500 (approximately Rs. 7.76 lakhs) through Facebook’s bug bounty program.
So how did that happen?
According to Muthiyah, while Facebook notes that its photo albums cannot be deleted using the album node in Graph API, he tried to delete one of his own photo albums with a Facebook for mobile access token using the same Graph API and it got deleted.
“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for Android access token of mine and tried it,” notes Muthiyah.