Facebook Graph API Bug Exposes Vulnerability

What if your Facebook photos got deleted by a malicious third party without your knowledge? That's the question posed by security researcher Laxman Muthiyah in a blog post wherein he details how he compromised Facebook's security and did exactly that. Muthiyah fingered Facebook's Graph API as the culprit.

"The Graph API is the primary way for developers to read and write the user's data," wrote Muthiyah. "All Facebook apps … are using [the] Graph API. In general, [the] Graph API requires an access token to read or write users' data."

Facebook's documentation explicitly says that photo albums can't be deleted using the Graph API. Muthiyah decided to put this to the test. When he tried using the Graph API to delete a photo album with the graph explorer access token, Muthiyah met the expected result: It generated an error. He says this is important because end users need to know when they've reached the limits of what the app and service can do. His curiosity then got the better of him.

"I decided to try it with [the] Facebook for mobile access token because we can see [the] delete option for all photo albums in [the] Facebook mobile application," he explained. Muthiyah went through the Graph API again with the mobile access token and discovered he was able to delete a photo album using his own Facebook ID. He replicated the experiment using someone else's Facebook ID and arrived at the same result.

The bottom line here is that Muthiyah was able to access and delete other Facebook users' photos and photo albums using a hole in the Graph API. You can see this in action below:

Muthiyah reported the glitch to Facebook. "[Facebook was] fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report," he said. That's a pretty quick response. It underscores how seriously Facebook takes security. Muthiyah was awarded $12,500 for his discovery. You can see exactly how Muthiyah was able to get around Facebook's code here.

Facebook told ProgrammableWeb, "We received a report about an issue with our Graph API and quickly fixed it [after] verifying the claims. We’d like to thank the researcher who reported the issue to us through our bug bounty program."

It goes without saying that Facebook users' photos are important to them. Photos are widely shared throughout the social network. Just today, the company made it possible for users to designate a legacy contact, who is able to download and save photos of those who've died.

Eric Zeman I am a journalist who covers the mobile telecommunications industry. I freelance for ProgrammableWeb and other online properties.
 

Comments (1)

stifan

I found your post so interesting.