A security researcher earned a tidy reward from Facebook for reporting a major hole in the social network’s code
Facebook has patched a serious hole that allowed anyone to delete any user’s photos using only four lines of code. In a blog post on 7Xter, Laxman Muthiyah described the hole he discovered and said he could delete any photo album in just seconds using the code.
Facebook pays the researcher
The security researcher reported the hole to Facebook, which immediately patched the hole and paid him a reward of $12,500 for discovering it and reporting it. Muthiyah said he was playing around with the social network’s Graph API and considered what would happen if someone’s photos were deleted without them knowing about it.
“Obviously that’s very disgusting isn’t it,” he wrote in his blog post.
Easy to delete photos from Facebook
The cyber-security researcher made it sound so easy to delete anyone’s photo albums from Facebook. He tried it using a “Facebook for mobile access token.” This method gives a delete choice for all of the photo albums that have been loaded into Facebook’s mobile app. Additionally, he said it uses the same API as Graph. He ended up picking a photo album ID and a token for Facebook for Android and tried it out, with success.
As Adam Clark Estes of Gizmodo explains, the tokens used for Facebook access are basically just character strings that give apps permission to access a particular user’s profile. For example, logging into a game using a Facebook profile creates a unique token to allow users to get into the game using their profile on the social network.
Video of Facebook hack posted on YouTube
The security researcher posted a video of himself on YouTube showing how the hack works. He said it only took two hours for Facebook to close the hole he found. It’s certainly a good thing the hole was discovered by a white hat hacker who reported it because he could have gone through and deleted every photo album on Facebook using his code. What a mess that would have been.