Facebook bug allowed people to delete photos

Problem has now been fixed, and the security researcher who found it received thousands of dollars for doing so

Facebook photos could have been deleted with a small piece of code.

A security researcher found that a bug in the Graph API — which allows developers to make apps for the service — allowed apps to delete photos that were stored on the service.

The API is supposed to be banned from allowing such changes, in order to protect users’ data, but a bug in the code was found by researcher Laxman Muthiyah that allowed him to circumvent the API.

“What if your photos get deleted without your knowledge?” asked Muthiyah. “Obviously that's very disgusting isn't it?”

Muthiyah reported the bug to Facebook under its bug bounty programme, and it has now been fixed. The programme allows hackers to report problems in exchange for rewards, as long as they inform Facebook within good time and don’t exploit the problem before doing so.

Muthiyah received a $12,500 bounty for the problem he found, according to messages from the Facebook security team that he posted on his blog.

Facebook quickly identified the issue and there was a fix in place within two hours of the report being made, Muthiyah said.

Comments