Newly Discovered Facebook Bug Allowed Anyone To Delete Your Photos With A Poll

How many photos do you have on Facebook? How many of those are photos you never thought to back up?This just-disclosed Facebook bug would have allowed for anyone with a bit of technical know-how to delete any photo on Facebook.

A newly discovered Facebook vulnerability could let anyone with some technical know-how to delete any or all photos you posted on the social networking website. The vulnerability once again raises privacy concerns and advises users to not use Facebook as a backup drive to store your all important and often personal photos/videos.

Security researcher Pouya Darabi discovered this bug in early November. When someone created a poll, he found, it would send a request to Facebook servers that included a unique ID for the picture or GIF included. At that point, as Darabi explains in a blog post, he could replace that ID with the ID of any other picture on the network, even ones other people had uploaded.

That way, the poll he’d created would include other people’s pictures, even ones that are not set to public. Then, when he deleted his own poll, the image included (the one taken from someone else’s page) was completely deleted from Facebook—and not just from the poll. It’s unclear how Darabi could obtain the ID of other people’s photos, but it’s possible that all a malicious hacker had to do was to guess a random number until he or she got an image.

Darabi posted a video showing how the bug worked:

Laxman has a breakdown of how it all works here, but here’s the short version: Facebook’s Graph API wasn’t checking permissions properly. If you sent a request to the Graph API to delete another user’s photo album and toss your own Facebook for Android token as the required stamp of approval, it’d blindly accept it and the album would vanish.

On the attacker’s end, the album delete command would have looked something like this:

Request :-
DELETE /[Victim’s_photo_album_id] HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=[Your(Attacker)_Facebook_for_Android_Access_Token]

On the victim’s end, the photo album would have just… disappeared.

It’s a rather simple bug, really — one of those things that you’d just never expect to actually work.

But it did — and it could have had pretty nasty consequences. As Sophos security points out, Facebook photo albums are identified and stored with simple, sequential numbers. If someone were to have popped this thing on a server and scripted up a basic number incrementer to blindly dig up albums, the attacker likely could have deleted a lot of photos before Facebook was any the wiser.

Speak Your Mind

*