One Facebook user could have deleted every photo on the site

Given Facebook‘s vast resources and hacker ethos, its site is one of the least hackable social networks around—but where there’s a will, there’s a way.

On Thursday, software engineer Laxman Muthiyah published a startling discovery: with just a few lines of code, someone could delete your Facebook photos—and everyone’s else’s—in an instant.

Muthiyah, a white-hat hacker, provided the vulnerability to Facebook, which like many tech companies awards a “bug bounty” for proof of loopholes in its code like this one. As Muthiyah explained in a blog post titled “How I Hacked Your Facebook Photos,” just four lines of code could send a Facebook API call that would trigger the deletion of any photo album a user could find the ID for, whether by guessing, through public permissions, or by having friend permissions. Here’s the chunk of code:

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245 access_token=<Facebook_for_Android_Access_Token>

Since Facebook’s photo albums are named numerically in sequence, a malicious user could theoretically execute a script to delete every photo album ever uploaded to Facebook.

Whoa.

Luckily for us and for Facebook, Muthiyah reported his findings and the company took the hack very seriously.

“Immediately reported this bug to Facebook security team,” Muthiyah wrote, before adding that “there was a fix in place in less than 2 hours from the acknowledgement of the report.” 

Muthiyah was rewarded quickly and handsomely with $12,500 through bugbountypayments.com, and Facebook has since patched the code. Just think, if Muthiyah’s hack had fallen into the wrong hands, those freshman-year beer-bong photos could have been gone for good

H/T 7xter, Gizmodo Illustration by Max Fleishman

Taylor Hatmaker

Taylor Hatmaker

Taylor Hatmaker has reported on the tech industry for nearly a decade, covering privacy and government. Most recently, she was the Debug editor of the Daily Dot. Prior to that, she was a staff writer and deputy editor at ReadWrite, a tech and business reporter for Yahoo News, and the senior editor of Tecca. Her editorial interests include censorship, digital activism, LGBTQ issues, and futurist consumer tech.