One Facebook user could have deleted every photo on the site

With great power comes great vulnerabilities.

Mar 1, 2020, 10:15 am*

Tech

Taylor Hatmaker 

Taylor Hatmaker

Given Facebook‘s vast resources and hacker ethos, its site is one of the least hackable social networks around—but where there’s a will, there’s a way.

On Thursday, software engineer Laxman Muthiyah published a startling discovery: with just a few lines of code, someone could delete your Facebook photos—and everyone’s else’s—in an instant.

Muthiyah, a white-hat hacker, provided the vulnerability to Facebook, which like many tech companies awards a “bug bounty” for proof of loopholes in its code like this one. As Muthiyah explained in a blog post titled “How I Hacked Your Facebook Photos,” just four lines of code could send a Facebook API call that would trigger the deletion of any photo album a user could find the ID for, whether by guessing, through public permissions, or by having friend permissions. Here’s the chunk of code:

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245 access_token=<Facebook_for_Android_Access_Token>

Since Facebook’s photo albums are named numerically in sequence, a malicious user could theoretically execute a script to delete every photo album ever uploaded to Facebook.

Whoa.

Luckily for us and for Facebook, Muthiyah reported his findings and the company took the hack very seriously.

“Immediately reported this bug to Facebook security team,” Muthiyah wrote, before adding that “there was a fix in place in less than 2 hours from the acknowledgement of the report.” 

Muthiyah was rewarded quickly and handsomely with $12,500 through bugbountypayments.com, and Facebook has since patched the code. Just think, if Muthiyah’s hack had fallen into the wrong hands, those freshman-year beer-bong photos could have been gone for good

H/T 7xter, Gizmodo Illustration by Max Fleishman

Share this article
*First Published: Feb 13, 2015, 4:36 pm