Today, Facebook is the main reason for us to click so many pictures. It is one of the most dominating social media platforms, where people share their emotions through their status, pictures, or any other multimedia form. However, pictures remain the most exciting and expressive form of sharing the events in life. Facebook provides various options to share such photos either publicly or privately with few selected friends. By uploading those pictures to an album or setting them as a profile picture, many people consider it safe for storage, which can be downloaded again any time in the future.
But, what if you don’t find any of your uploaded photos after you re-login?
This might land you in some serious trouble, especially those who uploaded their private photographs, which they never wanted to lose or to be shared with others. For those, who consider Facebook not at all vulnerable, it’s the time to ponder about the fact that an undetected bug can allow hackers to delete or misuse all of your photos.
According to the latest discovery done by Laxman Muthiyah, a software engineer from India, Facebook vulnerability was exposed to a bug that could have deleted every single photo by any user on Facebook. Photos could be a part of an album, a page, or a group, Muthiyah added. It implies that any photo that is public or is set to be viewed can be deleted. Confirming the information revealed by Muthiyah, security giant Sophos added that Facebook albums can be deleted by anyone, as it’s very easy to speculate their numeric album IDs. The flaw that was discovered was with the Graph API in Android application. However, Facebook quickly reacted and fixed the bug discovered by Muthiyah. Moreover, they facilitated him with an amount of $12,500 through Facebook’s bug bounty program.
Here’s an insight of what actually happened
The Graph API is an elementary way for applications to write and read data from Facebook. According to Muthiyah, he tried deleting one of his own photos from Facebook through mobile using the album node in Graph API and was successful in doing so; however, it was contradictory to the Facebook claims that the photos cannot be deleted using the same Graph API.
The idea behind choosing the mobile device to delete photos from Facebook was based on the fact that the delete option for all photos can be seen in Facebook‘s mobile application. Moreover, the other thing that took Muthiyah by surprise was when he tried deleting other person’s photo using its album ID, and he was successful in doing that as well.
Muthiyah acted as a true patron and reported the bug immediately to the Facebook security team. Luckily the bug was taken seriously and was fixed immediately within an hour or two. Later, the issue was made public by Facebook and they acknowledged the fact that it would have been a real threat in case the hacker knew the target photo ID and the permission to view the album.
