Security Researcher Finds a Way to Delete Photos on Facebook Without Permission
Another reason why social media sites should improve their security levels has just surfaced. We post countless pictures of our friends, family and a plethora of selfies on Facebook. Some of us feel safe that our images are secure on a digital platform and won’t be lost or misplaced.
What if I told you that a person has figured out a way to delete all of your pictures on Facebook? All of your albums could be gone forever! Believe or not, it’s true as a security researcher in India can delete every photo he sees on the popular website.
The researcher named Laxman Muthiyah, had the power to delete any photo if he’s allowed to see it. Meaning pictures which are shown to the public on your timeline, can easily be deleted by Laxman.
Here’s Laxman’s reaction after successfully deleting photos and finding this bug:
OMG 😀 the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) 😛 lol 😀
Thankfully, he is not an immoral hacker as I mentioned he is security researcher and after finding this bug, he reported it to Facebook authorities, who fixed it within 2 hours.
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.
Moreover, he tested this loophole first on his own account and then experimented on a victim. So how exactly did he do it? He gained access using a developer platform called Graph API. This tool is used by developers to read and write user data. You can go into details about Graph API here.
According to Graph API’s documentation, developers aren’t allowed to delete photo albums via this tool. But he found a work around which allowed him to delete any album he can see on Facebook. Can you imagine how self righteous hackers like Lizard Squad could have used this? We can’t rule out the possibility that instead of going to Facebook, Laxman could have sold this bug to anybody.
Facebook was kind enough to reward Laxman $12,500 USD for pointing out this vulnerability. All of us were lucky Laxman decided to do the right thing but this should be the redflag for all users. We should set a privacy on personal data and images so only our friends are able to see it.