This Facebook Bug Allowed Anyone To Delete Your Photos
orginal article from techcrunch.com
We came across this cheeky little news story the other day and thought it was an interesting read
How many photos do you have on Facebook? How many of those are photos you never thought to back up?
This just-disclosed Facebook bug would have allowed for anyone with a bit of technical know-how to delete any photo on Facebook.
Fortunately, the guy who discovered the bug (Laxman Muthiyah of India) was quick to give Facebook a heads up — and for his troubles, he got a $12,500 bounty. (Sure, the bug could have pretty easily done more than $12,500 worth of damage to Facebook — but that’s not quite how bug bounty projects work.)
Facebook turned around and fixed the bug in about two hours.
Facebook’s Graph API wasn’t checking permissions properly. If you sent a request to the Graph API to delete another user’s photo album and toss your own Facebook for Android token as the required stamp of approval, it’d blindly accept it and the album would vanish.
On the attacker’s end, the album delete command would have looked something like this:
DELETE /[Victim’s_photo_album_id] HTTP/1.1
Host : graph.facebook.com
On the victim’s end, the photo album would have just… disappeared.
It’s a rather simple bug, really — one of those things that you’d just never expect to actually work.
But it did — and it could have had pretty nasty consequences. As Sophos security points out, Facebook photo albums are identified and stored with simple, sequential numbers. If someone were to have popped this thing on a server and scripted up a basic number incrementer to blindly dig up albums, the attacker likely could have deleted a lot of photos before Facebook was any the wiser.
Let it be a gentle reminder: Facebook isn’t a backup drive. While your photos hopefully won’t vanish without warning, Facebook’s code isn’t infallible. Back up the stuff you love.