Software engineer Laxman Muthiyah has reported a dangerous vulnerability capable of deleting any photo from Facebook, prompting The Social NetworkTM to patch the hole within two hours and issue one of its biggest bug-spotting cheques ever.
The flaw potentially allowed mass deletion of photos using the identification number of a target album and an attacker’s Facebook Android app token. Any scripts to pull off this trick could be stopped by security controls like rate limiters.
“Any photo album owned by an user, a page, or a group could be deleted,” Muthiyah said.
“I [gained] the key to delete all of your Facebook photos.”Compound Eye consultant Mark Stockley (@MarkStockley) said the vulnerability could have been trival to exploit by an attacker with little more than a script and a Raspberry Pi.
“You might think that pulling off something as enormous as knocking out Facebook’s gargantuan trove of photos might require genius and technology on an equally epic scale,” Stockley said.
“In theory you could do it with a few lines of code and a phone or a Raspberry Pi. Hell, the code would probably run on a digital watch.”
Muthiyah published a proof of concept video detailing the vulnerability and received praise from industry for finding the bug.
Facebook has published thanks for 19 bug hunters contributing this year. The bug was Muthiyah’s third to be reported since 2013. ®
Source: The Register