A security researcher recently made a seriously startling discovery. With just four lines of code, he says he could delete any photo album on Facebook. Zuck's wedding photos? Zap. Your high school graduation album? Lost forever. Lucky for you, he decided to report the bug to Facebook, which promptly cut him a check.
Let's back up a second. It was possible to delete random photo albums with four lines of code? It seems like Facebook's well paid security team would've made sure that users' data was safe at all times. But even the most robust bug-checking misses things. That's why Facebook has a bug bounty system. More on that in a second. First let's look at this disappearing photo album bug.
Laxman Muthiyah, the white hat in question, says he was tinkering with Facebook's Graph API, when he wondered, "What if your photos get deleted without your knowledge? Obviously that's very disgusting isn't it?" So, naturally, he tried to figure out how. And it wasn't even that hard by the sound of it:
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.
There are a few terms in there that need unpacking. A Facebook access token is a string of characters that enables an app to gain access to a user profile. You know when you go to log into a game with your Facebook profile, for instance, Facebook generates a unique access token for this task. Laxman used a token for the Facebook for Android app and a random photo album ID—a randomly generated string of numbers that appears in the URL of any photo album or photo that's in an album. It appears after the "DELETE /" command below.
Here's what the resultant API call looked like, all four lines of it:
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
And here's what Facebook's servers sent back:
Response :-
true
In other words: Album deleted. You can watch Laxman execute the hack and attempt to view the album after the request in the YouTube video below. The album is definitely gone. Laxman said that he reported the bug to Facebook, and the company fixed it within two hours.
As Naked Security blogger Mark Stockley points out, Laxman could've done a lot of damage with this precious knowledge. Since the album ID numbers are sequential, he could've built a bot to go through and systematically delete everyone's albums. Or held Facebook hostage in order to get a big bounty.
"He could have milked it," says Stockley, "kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name." Like Heartbleed—or maybe Facebleed in this case. But he didn't; Laxman reported the bug to Facebook like some white hat hacker prince.
The bug is now completely fixed. (We've contacted Facebook to confirm the details of the bug and will update this post when they get back to us.) Guess how much Facebook paid him for being a hero: $12,500. Maybe Facebook should tack a zero onto the end of that sum and just hire Laxman to come and work for its security team. They clearly need the help. [7xter via Naked Security]
Update: Facebook sent us this statement:
We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We'd like to thank the researcher who reported the issue to us through our bug bounty program.
GIF by Adam Clark Estes