Man Finds Simple Hack for Deleting Other People’s Facebook Photos, Earns $12.5K Bounty

4859806074_0f5d6faa15_z

An Indian security researcher has been awarded $12,500 by Facebook after discovering a ridiculously simple hack that could have wiped out vast numbers of photos on Facebook.

In a personal blog post titled How I Hacked Your Facebook Photos, Laxman Muthiyah shares how he stumbled upon a vulnerability in the social networking service that would allow a malicious person to nuke entire photo albums on Facebook.

Using Facebook’s API and a mobile access token, Muthiyah used the following four-lines to request an album deletion for one of his albums:

DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=❮Facebook_for_Android_Access_Token❯

Facebook’s servers responded with a “true” message, indicating that the album had gotten wiped out. He then tried the same thing on “a victim’s” album.

Same result.

“OMG :D the album got deleted!,” Muthiyah writes. “So I got access to delete all of your Facebook photos (photos which are public or the photos I could see) :P lol :D.”

Here’s a short screencast video he recorded that shows the hack in action:

Naked Security points out that Muthiyah could have “milked” his discovery and done a great deal of damage to Facebook and the photos of people around the world.

Instead, Muthiyah did the right thing. He immediately reported the issue through Facebook’s bug bounty program. The service fixed the bug in less than two hours and, after reviewing it, decided to award Muthiyah with $12,500 for his help.

bounty

(via 7xter via Gizmodo)


Image credits: Header photo by Johan Larsson

Discussion