How a White Hat Hacker Saved Your Facebook Photos

You'll never believe how close we came.

For many people, Facebook pictures are a way to visually catalog their lives; an ever-expanding, always-available, interactive photo history where friends and family can reminisce about the college parties and family vacations of yesteryear.

But picture, if you will, a world where your Harry Potter midnight premiere photo album is simply zapped from existence. Imagine waking up one morning to find that the pictures from that Color Run you did last summer have simply vanished into thin air, dropped from the cloud.

You hiked to Machu Picchu, huh? Where are the pictures to prove it? Gone.

A hacker discovered a bug that made it possible for anyone with a little bit of know-how to delete other people's photo albums.

This scenario allegedly came scarily close to reality, prevented only by the deft skills of a hacker with a heart of gold. Earlier this year, white hat hacker Laxman Muthiyah discovered a bug that made it possible for anyone with a little bit of knowhow to delete other people's photo albums.

The key to the exploit was a vulnerability in Facebook's Graph API, the system that app developers use to read and write user data on Facebook. Through the vulnerability, a hacker could use access tokens—time-limited alphanumeric keys that let apps access secure user information—to delete photo albums.

Although deleting public photo albums using a standard Facebook access token isn't possible, Laxman quickly discovered that he could work around that limitation by using an access token from the Facebook app for Android.

Upon fixing the bug, Facebook reached out to Muthiyah and offered him a reward of $12,500.

The bug would have required the hacker to know each photo album's ID and have permission to view it based on its privacy settings. However, since these IDs are sequential, a script could easily be written to automatically generate photo album IDs and test them for vulnerability. Ostensibly, the results could have been devastating.

Laxman sent a message to Facebook's security team detailing the bug, and to the company's credit, he says it was patched in less than two hours. For his troubles, Facebook rewarded him a bounty of US$12,500. Not bad for day's work.

 

 

Michael Desjardin 
February 19, 2015