Researcher discovered a flaw that could help him Delete photos from Anyone’s account.
To delete someone’s pictures from Facebook is certainly not an easy task. However, an Indian web developer Laxman Muthiyah claims that he discovered a flaw with which he can easily remove photos from almost all user accounts on Facebook. He immediately notified the company about the flaw and it was patched in due time.
Muthiyah is currently serving as a web developer at popular Indian movie website Behindwoods. He says that to confirm this flaw he eliminated sample albums using Facebook’s mobile-access client and a developer’s API.
Facebook was reported about this problem on Tuesday and within just two hours it got fixed, says Muthiyah. The company found him eligible for $12,500 bug bounty.
Muthiyah’s Story:
When asked how he identified this critical flaw, Muthiyah replied that he was just playing around with Graph API, which is the feature of Facebook apps that let developers read and write user data. The developers’ documentation although clearly stated that it cannot delete albums but Muthiyah tried it anyway and the result was just that.
In response, the error message that appeared was:
{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}
This revealed that while the app couldn’t make the API call, there was a possibility of some other app to do that. Therefore, he used his Android access token, which also utilizes Graph API and has a delete option, with the Facebook mobile app and tried this code:
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
And it worked. Muthiyah was ecstatic:
“OMG :D the album got deleted! So I got the key to delete all of your Facebook photos :P lol :D.”
He realized that this was a major flaw since all that was needed to hack Facebook photo albums was four lines of code. He reported the flaw to Facebook on Feb 10, in response the company awarded him the bounty within 12hours.
The Menace that was prevented:
According to web consultant Mark Stockley blogpost on Nakedsecurity blog Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing in the nakedsecurity blog.
Muthiyah definitely should be lauded for his uprightness and morality. This could have been caused a lot of trouble for Facebook and its users around the world had Muthiyah sold this information to any of its competitors.
Wiping out all the photo albums from Facebook might have been a daunting task, states Stockley.
“In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm, and even if it doesn’t, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.”
“But that’s just a question of horsepower, and horsepower is easy on the internet – there are kids running botnets of 60,000 computers.”