Facebook Fixed A Bug That Could Have Deleted All Of Your Photos

A security researcher earned a tidy reward from Facebook for reporting a major hole in the social network’s code

Facebook has patched a serious hole that allowed anyone to delete any user’s photos using only four lines of code. In a blog post on 7Xter, Laxman Muthiyah described the hole he discovered and said he could delete any photo album in just seconds using the code.

Facebook Fixed A Bug That Could Have Deleted All Of Your Photos

Facebook pays the researcher

The security researcher reported the hole to Facebook, which immediately patched the hole and paid him a reward of $12,500 for discovering it and reporting it. Muthiyah said he was playing around with the social network’s Graph API and considered what would happen if someone’s photos were deleted without them knowing about it.

Relying On Old-Fashioned Stock Picking, Lee Ainslie Reports His “Strongest Quarter” Ever

Lee Ainslie's Maverick Fund USA enjoyed its "strongest quarter in the fund's history" during the three months to the end of June. According to a copy of the firm's second-quarter letter to investors, which ValueWalk has been able to review, Maverick Fund USA gained 18% in the second quarter. Following this performance, the fund was Read More


“Obviously that’s very disgusting isn’t it,” he wrote in his blog post.

Easy to delete photos from Facebook

The cyber-security researcher made it sound so easy to delete anyone’s photo albums from Facebook. He tried it using a “Facebook for mobile access token.” This method gives a delete choice for all of the photo albums that have been loaded into Facebook’s mobile app. Additionally, he said it uses the same API as Graph. He ended up picking a photo album ID and a token for Facebook for Android and tried it out, with success.

As Adam Clark Estes of Gizmodo explains, the tokens used for Facebook access are basically just character strings that give apps permission to access a particular user’s profile. For example, logging into a game using a Facebook profile creates a unique token to allow users to get into the game using their profile on the social network.

Video of Facebook hack posted on YouTube

The security researcher posted a video of himself on YouTube showing how the hack works. He said it only took two hours for Facebook to close the hole he found. It’s certainly a good thing the hole was discovered by a white hat hacker who reported it because he could have gone through and deleted every photo album on Facebook using his code. What a mess that would have been.