Facebook may have the largest database of photos. Every day, about 350 photos are coming from around the world.
The security researcher Laxman Muthiyah he discovered a way that he could if he wished to delete every photo that has gone up to the popular social network.
Fortunately for it Facebook and the 1,3 billion users his, researcher Laxman Muthiyah had no malicious intent. He reported the bug on Facebook, and won $12500.
The response from Facebook was immediate - to their credit, and the error was fixed across the network within 2 hours.
Laxman says:
OMG: D the album got deleted! So i got the key to delete all of your Facebook photos: P lol: D
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgment of the report.
Of course, Laxman had other options.
The bug he discovered is a weapon. It might not kill anyone, but it might make hundreds of millions miserable people.
Laxman would probably have put the bug in the underground market and earned a lot more money than he got from Facebok.
Or he could keep his discovery a secret and exploit it for his own benefit, see LizardSquad. Do you think if LizardSquad had discovered the vulnerability they would have reported it on Facebook?
Laxman discovered the error while looking at the API's Graph API (Application Program Interface).
The Graph API helps Facebok's interface with webpages, applications and other programs that need to be integrated with Facebook.
It is a simple, interface code that is driven by HTTP requests. Allows applications to do the same things that Facebok users do, but many more.
Of course, API users should not be able to process or delete things belonging to someone else.
What Laxman discovered was a bug that allowed him to do just that, using an access token of the Facebook app for Android to authenticate himself.
The Facebook vulnerability was nothing more than four lines code:
DELETE /
HTTP / 1.1
Host: graph.facebook.com
Content-Length: 245
access_token=
Facebook album IDs are numeric, which means one can start at 1 and simply continue until there is nothing left. Or even faster the hacker could create one script with the above code in a loop, starting from 1 to one trillion.
Guess the result.
See PoC