A security researcher doing a little investigation on his own time came across a serious flaw in Facebook: Any photo album could be deleted with just four little lines of code.
Laxman Muthiyah blogs about his discovery in a post titled “How I Hacked Your Facebook Photos,” and shares how he came across this major error.
Muthiyah writes that he was playing around with Facebook’s API when he began to wonder what would happen if you wanted to delete other people’s pictures without their permission. To solve his question, he did it.
This video shows how:
His first attempt involved using the graph explorer access token to delete a photo album, but this received an error message. Although the action could not be carried out, the error message implied that there was a way to delete an album.
Using his Facebook for mobile access token, Muthiyah again attempted to delete his album. And it worked. After deleting his own album, he moved to a “victim’s” album and tried to delete it, and that worked too, exposing a major flaw in the system.
Muthiyah did the upright thing and immediately reported the issue to Facebook, and the bug was fixed within two hours. He was also awarded a $12,500 bounty for being a stand-up guy.