Facebook is probably the biggest database of photographs ever compiled.
We upload around 350 million photos to the world’s most popular social network every day. Facebook users aren’t quite as busy sharing photos as the kids who use Snapchat or WhatsApp but they’re not far off, and they’ve been doing it a lot longer.
In a beautiful and terrifying illustration of the vast asymmetries that the internet can create, security researcher Laxman Muthiyah has revealed how he discovered he had the power to delete billions of images. If he was allowed to see it, he was allowed to delete it.
Thankfully for Facebook’s 1.3 billion users Laxman’s moral compass was in fine working order that day. He reported the bug to Facebook as soon as he found it, netting himself a cool $12,500 USD bug bounty in return.
Facebook’s response was swift – to its great credit the bug was fixed across its vast network within 2 hours.
OMG :D the album got deleted! So i got the key to delete all of your Facebook photos :P lol :D
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.
And let’s be absolutely clear, Laxman had options.
The bug he discovered is a weapon. It wouldn’t have killed anyone but it could have caused misery to to millions.
Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing.
Or he could have milked it; kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name.
And of course he had the chance to make himself The Man That Wrecked Facebook if he wanted to take it. Do you think LizardSquad would have blinked before inflicting misery for the sake of self-aggrandisement?
Kudos Laxman.
You might think that pulling off something like this requires genius and technology on an equally epic scale.
Not a bit of it.
In theory you could do it with a few lines of code and a phone or a Raspberry Pi. Hell, the code would probably run on a digital watch.
In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm – and even if it doesn’t, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.
But that’s just a question of horsepower, and horsepower is easy on the internet – there are kids running botnets of 60,000 computers.
Laxman discovered the bug whilst poking about in Facebook’s Graph API (Application Program Interface).
The Graph API is the official Facebook interface for websites, apps and other computer programs that want to integrate with Facebook.
Unlike the glossy, graphical, point-and-click interface that we humans use, it’s a terse, code interface that’s driven by HTTP requests rather than taps, typing or mouse clicks.
It allows computer programs to do the same things that humans can do with Facebook and much more besides.
Just like the human interface, users of the API are not supposed to be able to edit or delete things that belong to somebody else.
What Laxman discovered was a bug that allowed him to do just that if he used a Facebook for Android access token to authenticate himself.
So long as he had the photo album id and permission to view the album he could delete it. The anti-Facebook super-weapon was no more than a four line HTTP request:
DELETE /<victim's album in> HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token=<attacker's Facebook for Android token>
Facebook album IDs are numeric, which means that guessing them is easy – you start with 1 and just keep going up.
So wrap that 4 line request in a loop and increment the ID from one to a trillion and you’ve got yourself a micro-David to take on Facebook’s photographic mega-Goliath.
Update 2015-02-12
Facebook got in touch, keen to explain that this bug only applies to photo albums that the attacker has permission to view which, to all practical purposes, means photo albums that are public.
Your Cover Photos and Profile Pictures albums are public by default, for instance.
Taking out those albums alone, never mind any other public albums, would still amount to a hugely damaging attack but in light of this information we’ve changed the original headline and two sentences in the article to better reflect the nature of the bug.
Facebook’s spokesperson said:
We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We’d like to thank the researcher who reported the issue to us through our bug bounty program.
Lydia Morris
What a dude.
JR
Even if he had decided to do this, don’t you think that they could easily be restored by Facebook?
Mark Stockley
I’m sure Facebook would be able to restore them, yes, but that doesn’t mean it isn’t disruptive.
Sony and Microsoft recovered from their Christmas day DDoS attack in a day or so but that didn’t stop it being hugely disruptive.
Microsoft’s reputation took a dent that day – how big a dent do you need to put in Facebook before something else looks like a safer bet?
It’s notable that the bug made it through Facebook’s bug triage process, into development, out of development and on to the site in under two hours – that’s *fast*.
Guy
Normally it’s “Move fast and break things”. I guess this time it was “Move fast and fix things”.
I don’t get the impression that Facebook have quite the same attitude to QA as say, IBM.
GB
This was probably broken by previous fast movement.
Anonymous
I’m sure FB would have backups so could restore if this happened.
anonymous
Not at all the point here.
Layi Egbeyemi
Nice headline. One man could have deleted every ‘photo’ on Facebook. Meanwhile, your story is about someone using FB’s API to delete ‘albums’ by ‘guessing’ albums’ IDs. This is the kind of ‘journalism’ that got Brian Williams in toruble!
billy
completely valid headline. the albums are in sequential order so it would be quite simple to write the code to delete them. there is no randomization whatsoever….you have no understanding of how simple this would have been.
Andy
Or maybe you could have read how you can increment the album number and loop the script.
Anonymous
so much burn
Mark Stockley
Photos are presented to users in albums, which is why I went with that headline. Every photo that’s uploaded is part of an album (e.g. Instagram, Mobile Uploads etc) even if you don’t put it in one.
I’m sure that in the back end they’re stored as a multitude of redundant binary blobs in something like a giant Hadoop database – photos and photo albums are probably very, very difficult to delete completely.
And yes, guessing is a bona fide part of many attacks. You get spam to gmail accounts nobody knows about because spammers guess email addresses. Password cracking is the art of making good guesses.
Andy
Bro tier move. I still dislike facebook.
Justin Xin
Nice. I wonder what would’ve happened if suddenly all our photos disappeared.
Mark Stockley
Panic, fear, anger, doubt, hang wringing, teeth gnashing, apologies, a restoration from backup, an FBI man hunt and then a ridiculously long and disproportionate prison sentence for the perpetrator.
That’s what normally happens anyway.
Scott McCain
That’s a pretty rookie mistake by Facebook. I’m surprised they let something that big slip through the cracks. I would expect QA might have addressed that particular test case already. Also, didn’t they test these REST endpoints? The first test I would have done would have been to send in bogus album id’s (well maybe test a bogus token first).
Jack
Yeah, it’s a pretty clear indication of the amount and quality of testing they’re doing, which, I’d guess, is not much
GB
MoVe fast and break things. No time for QA.
jonathanpdx
Given how much Facebook relaies on the information its users so willingly provide to keep up its revenue stream, it’s no wonder they hopped to it and fixed the bug ASAP. Keep the cattle happy and well fed and they will provide much meat and milk.
Laxman Muthiyah
Thanks for the post man (y)
David
What did Facebook do to fix it?
Andrew Ludgate
Should have been a pretty simple fix: just apply the same checks to the android certs that they do to other validation methods. All the actual logic was in place; they likely just needed to fix a line of code that was still using a test library where it should have been using the deployment library.
Mark Stockley
What amazed me isn’t that they fixed it quickly, it’s how quickly they realised they needed to fix it quickly.
I bet their triage team spend days wading through false positives and insignificant bugs.
To go from being informed, to making a decision, to getting it in the hands of the right person, them not being on lunch, fixing it, testing it and then deploying across their enormous infrastructure in two hours is staggering.
Even if 99.9% of that time was spent in bureaucracy it’s still lean as hell.
Jack
Agree Mark, I don’t like them but that’s impressive
Anonymous
He explains it here:
http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html
Mahmood
All of you are assuming FB have backup and can restore easily. That is not really the case. Which one they want to restore? How do you know the deleted one is done by bad guy? How far you go back when you are restoring?
Anonymous
Not that I want to be picky but I think I found two typos:
1- I think it should read “Update 2015-02-12”, unless the article is this year’s and the update was made last year.
2- In the same update section, you have a double “but” in the 3rd paragraph.
Paul Ducklin
Fixed, thanks!
Blake
Is it just me or does it seem like Facebook is a little cheap on the bug bounties? I really haven’t paid much attention to what companies pay.
GaryB AMoose
Integrity. Courage. Humor.
Barbara E Bj
Some people get paid for finding bugs and others don’t. I found security flaws with photos which made the privacy setting useless anytime a user shared any photo from any album. I was able to get in a backdoor to all of the albums by opening the photo of one album.
Facebook fixed that flaw and many others I pointed out a long time ago, but acted like they didn’t understand what I was saying the one and only time they ever wrote back to me about all of the messages I sent them.
And, back then, it was really hard to figure out how to even contact anyone working at Facebook.
I used to be a programmer and tested software, also, in the past. So, it was almost an addiction for me to try to see how well things worked on any particular site I used regularly just as I did all the time before the internet came along.
But, FB didn’t even acknowledge me for finding the flaws in their security. I didn’t expect them to, at that time, but later when I started hearing that they were paying others to find less serious flaws on a regular basis, I was a bit annoyed, to say the least, that I didn’t even get a thank you.
LOL! Oh well. Water under the bridge now.