2/13/2015 5:12:47 PM
|written By : Staff Reporter|
An Indian security researcher has just discovered a serious flaw in Facebook. With just four lines of code, he says he could delete any photo album on Facebook. Laxman Muthiyah, the researcher in question, reported the bug to Facebook, which paid him a cheque of $12,500, in line with its “bug bounty”system.
Muthiyah says he was tinkering with Facebook's Graph API, when he wondered, "What if your photos get deleted without your knowledge? Obviously that's very disgusting isn't it?" So, naturally, he tried to figure out how. And it wasn't even that hard by the sound of it:
“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. So I took an album id and Facebook for android access token of mine and tried it.”
In plain English, a Facebook access token is a string of characters that enables an app to gain access to a user profile. When you go to log into a game with your Facebook profile, for instance, Facebook generates a unique access token for this task. Muthiyah used a token for the Facebook for Android app and a random photo album ID—a randomly generated string of numbers that appears in the URL of any photo album or photo that's in an album. It appears after the "DELETE /" command below.
The resultant API call looked like this, all four lines of it:
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
And here's what Facebook's servers sent back:
In other words: Album deleted. To Facebook’s credit, after Muthiyah reported the bug to them, the company fixed it within two hours.
As Naked Security blogger Mark Stockley points out, Muthiyah could have made hay with his precious discovery. Since the album ID numbers are sequential, he could've built a bot to go through and systematically delete everyone's albums. Or held Facebook hostage for big money.
"He could have milked it," says Stockley, "kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name." But Muthiya stayed true to his white hacker values. The bug is now completely fixed.