Hacker rewarded for very nearly deleting every photo on Facebook

12 Feb 2015

Facebook has awarded US$12,500 to a researcher who discovered a vulnerability that would have given him the power to delete every single image every uploaded to the social network.

Considering that 350m photos are uploaded every day to Facebook by its 1.3bn global users, that’s a lot of photos that could have disappeared forever.

Security researcher Laxman Muthiyah discovered a bug that could have caused misery to hundreds of millions of people.

Using Facebook’s Graph API Muthiyah was able to find away around Facebook’s rules to delete an entire photo album using an Android access token and a four line HTTP request.

Then he decided to try the trick on a potential victim and it worked.

Effectively Muthiyah discovered a potential weapon that if automated could have been used to delete every photo album on Facebook if it fell into the wrong hands.

Just four lines of code could have been used to delete every photo on Facebook.

Micro-David versus Mega-Goliath

Luckily for Facebook and hundreds of millions of people around the world Muthiyah reported the bug to Facebook and a fix was in place in less than two hours.

“You might think that pulling off something as enormous as knocking out Facebook’s gargantuan trove of photos might require genius and technology on an equally epic scale,” wrote Mark Stockley on the Sophos Naked Security blog.

“Not a bit of it. In theory you could do it with a few lines of code and a phone or a Raspberry Pi. Hell, the code would probably run on a digital watch.”

The genius of Muthiyah’s discovery was this: “Facebook album IDs are numeric, which means that guessing them is easy – you start with 1 and just keep going up.

“So wrap that 4 line request in a loop and increment the ID from one to a trillion and you’ve got yourself a micro-David to take on Facebook’s photographic mega-Goliath.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years