Facebook 404
Naked Security Naked Security

How one man could have deleted any photo album he could see on Facebook

Facebook is probably the biggest collection of photographs ever assembled so it would be pretty bad if one man could delete every last one of them with his phone. Thankfully that's what Laxman Muthiyah thought too.

Facebook is probably the biggest database of photographs ever compiled.

We upload around 350 million photos to the world’s most popular social network every day. Facebook users aren’t quite as busy sharing photos as the kids who use Snapchat or WhatsApp but they’re not far off, and they’ve been doing it a lot longer.

In a beautiful and terrifying illustration of the vast asymmetries that the internet can create, security researcher Laxman Muthiyah has revealed how he discovered he had the power to delete billions of images. If he was allowed to see it, he was allowed to delete it.

Thankfully for Facebook’s 1.3 billion users Laxman’s moral compass was in fine working order that day. He reported the bug to Facebook as soon as he found it, netting himself a cool $12,500 USD bug bounty in return.

Facebook’s response was swift – to its great credit the bug was fixed across its vast network within 2 hours.

In Laxman’s own words:

OMG :D the album got deleted! So i got the key to delete all of your Facebook photos :P lol :D
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.

And let’s be absolutely clear, Laxman had options.

The bug he discovered is a weapon. It wouldn’t have killed anyone but it could have caused misery to to millions.

Laxman could probably have sold that bug to somebody other than Facebook and earned a great deal more money than he got for doing the Right Thing.

Or he could have milked it; kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name.

And of course he had the chance to make himself The Man That Wrecked Facebook if he wanted to take it. Do you think LizardSquad would have blinked before inflicting misery for the sake of self-aggrandisement?

Kudos Laxman.

You might think that pulling off something like this requires genius and technology on an equally epic scale.

Not a bit of it.

In theory you could do it with a few lines of code and a phone or a Raspberry Pi. Hell, the code would probably run on a digital watch.

In practice Facebook probably operates rate limiting or other countermeasures that would prevent a single device from doing too much harm – and even if it doesn’t, the social network is so large an attacker would probably struggle to delete albums as fast as people on Facebook create new ones.

But that’s just a question of horsepower, and horsepower is easy on the internet – there are kids running botnets of 60,000 computers.

Laxman discovered the bug whilst poking about in Facebook’s Graph API (Application Program Interface).

The Graph API is the official Facebook interface for websites, apps and other computer programs that want to integrate with Facebook.

Unlike the glossy, graphical, point-and-click interface that we humans use, it’s a terse, code interface that’s driven by HTTP requests rather than taps, typing or mouse clicks.

It allows computer programs to do the same things that humans can do with Facebook and much more besides.

Just like the human interface, users of the API are not supposed to be able to edit or delete things that belong to somebody else.

What Laxman discovered was a bug that allowed him to do just that if he used a Facebook for Android access token to authenticate himself.

So long as he had the photo album id and permission to view the album he could delete it. The anti-Facebook super-weapon was no more than a four line HTTP request:

DELETE /<victim's album in> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<attacker's Facebook for Android token>

Facebook album IDs are numeric, which means that guessing them is easy – you start with 1 and just keep going up.

So wrap that 4 line request in a loop and increment the ID from one to a trillion and you’ve got yourself a micro-David to take on Facebook’s photographic mega-Goliath.

Update 2015-02-12

Facebook got in touch, keen to explain that this bug only applies to photo albums that the attacker has permission to view which, to all practical purposes, means photo albums that are public.

Your Cover Photos and Profile Pictures albums are public by default, for instance.

Taking out those albums alone, never mind any other public albums, would still amount to a hugely damaging attack but in light of this information we’ve changed the original headline and two sentences in the article to better reflect the nature of the bug.

Facebook’s spokesperson said:

We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We’d like to thank the researcher who reported the issue to us through our bug bounty program.