How Laxman Muthiyah found the bug that let anyone delete your Facebook photos

If you are the kind of person that thinks that Facebook is a safe repository to store your photos then maybe you should think twice. Recently an Indian, Laxman Mutiyah, found a bug in the Facebook code which allowed anyone to delete your public photos without your knowledge.

Here are the technical details of how he did it. You might be aware that Facebook (FB) provides a #-Link-Snipped-# to the developers to read and write the users data. Graph API, however does not give permission to delete the photo album of any user (not even your own) by using the album node of the API. Basically, to use the API to read and update the user’s details in any way, an access token is required. According to screenshot shown below, Laxman tried to delete one of his own albums but was denied to permission to do so.

fb_bug_scrshot_1

If you take a look at the message above, it indirectly says not this, but some other application does have the ability to delete the album. Since the "delete" option is visible in FB’s mobile application, Laxman then tried to delete his own photo album using mobile’s access token. When he was triumphant in doing so, he decided to go ahead and delete some other user’s photo album using his own access token. Following screenshot shows that he was successful in doing that too.

fb_bug_scrshot_2

The capability to delete someone else’s photo album using your own access token is surely a huge matter of concern. Laxman Mutiyah reported the issue to FB. The FB officials identified the problems and rectified and as a token of appreciation, FB is awarding Laxman a bounty of 12,500 USD for sharing the security vulnerability with them. You can refer the video below to view how exactly he found out about the bug.


Source: #-Link-Snipped-# | Via: This Facebook Bug Allowed Anyone To Delete Your Photos • TechCrunch

Replies

You are reading an archived discussion.

Related Posts

Apple Inc. has added a layer of security of its messaging and video-conferencing apps- iMessage and FaceTime. The company has introduced 2-step authentication process for user security. Apple’s 2-step security...
Sir i wanna know about the weight mechanism used in lift. how its sensors work when lift is overloaded............
Project Abstract / Summary : Data mining has become a hot research domain in recent years as it is being used in almost all applications. There are many algorithms under...
Project Abstract / Summary : MODIFICATIONS FOR THE IMPROVEMENT OF THE PERFORMANCE OF VORTEX TUBE Vortex tube is a simple energy separating device which is compact and simple to produce...
Last year, NASA had announced its proposal to develop a conceptual design of a possible submersible autonomous vehicle (submarine) for performing autonomous detailed scientific investigations of the liquid methane/ethane seas...