Facebook fixes security flaw that allowed "any" photo to be deleted

A security researcher said the social networking giant responded and fixed the problem within two hours, signaling how important the vulnerability was.
Written by Zack Whittaker, Contributor
(Image: Facebook via CNET)

Facebook has patched a security vulnerability that could've allowed a hacker to delete every single photo on the social networking site.

The social network said in 2013 that more than 350 million photos are uploaded to the site every day. That figure must have risen, along with its entire user base, which is now 1.3 billion people strong. The number of photos stored by Facebook is an almost unfathomable figure -- and the storage space needed for it is indescribably large.

But according to one security researcher, a relatively simple bug may have had the capacity to delete that entire data bank.

"Any photo album owned by an user or a page or a group could be deleted," researcher Laxman Muthiyah wrote on his blog.

Muthiyah found the bug after poking around in Facebook's Graph API, a developer platform that allows websites and applications to tap into Facebook's data.

The Graph API does not allow one user to delete another person's photos or albums. But by manipulating an access token from his mobile device, he was able to convince Facebook that the album belonged to him -- effectively allowing him access to read, write, and delete the album.

The bug was so severe that after he reported the bug to the social networking giant, it was fixed within two hours.

For his efforts, he was awarded $12,500, one of the highest rewards available.

Sophos' Naked Security blog speculated that with enough resources, the researcher could have deleted every photo. It's "just a question of horsepower," the blog said.

Facebook did not immediately respond for comment.

(via Naked Security)

Editorial standards