Facebook Fixes Bug That Could Have Deleted Any Public Photo

Advertisement
By Hitesh Arora | Updated: 13 February 2015 12:55 IST
We probably had never clicked so many pictures, if there was no Facebook. Uploading those pictures to your Facebook profile (even if privately) means a sense of safe storage for most people, which can be downloaded any time again. But, what if you go back and see no pictures there?

On Thursday, a software engineer Laxman Muthiyah discovered a vulnerability which allowed anyone to delete any photo album by any user on Facebook.

"Any photo album owned by an user or a page or a group could be deleted," said Muthiyah, though he clarified later "photos which are public or the photos I could see," implying private photos as well if the attacker had permission to view the album. Security firm Sophos adds, "So long as [Muthiyah] had the photo album ID and permission to view the album he could delete it... Facebook album IDs are numeric, which means that guessing them is easy - you start with 1 and just keep going up. "

Advertisement

This was essentially a Graph API flaw in Facebook Android app which potentially allowed a target album to be deleted with its numbered ID. Facebook was quick to response on the reported vulnerability by Muthiyah and offered him $12,500 (approximately Rs. 7.76 lakhs) through Facebook's bug bounty program.

So how did that happen?

According to Muthiyah, while Facebook notes that its photo albums cannot be deleted using the album node in Graph API, he tried to delete one of his own photo albums with a Facebook for mobile access token using the same Graph API and it got deleted.

"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. so took a album id & Facebook for Android access token of mine and tried it," notes Muthiyah.

But when he tried the same for some other person's photo album with its album ID, it got deleted as well, "So, what's the next step? Took victim's album ID and tried to delete it. I was very curious to see the result. OMG the album got deleted!"

Advertisement

Luckily the bug has been fixed by Facebook, and Muthiyah played a true altruist by not trying to profit by it. Muthiyah said he "immediately reported this bug to Facebook security team." "They were too fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report," he added.

Later, a Facebook representative also issued a statement on company's behalf, stating(via Sophos' Nakedsecurity blog), "We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We'd like to thank the researcher who reported the issue to us through our bug bounty program."

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day 2026: Best Deals on Soundbars From JBL, and More
  2. Amazon Prime Day 2026: Best Deals on iQOO Smartphones
  3. Best Camera Phones Under Rs. 30,000 for Content Creators in India
  4. Amazon Prime Day Deals 2026: Up to 70 Percent Off on These Projectors
  5. Amazon Prime Day 2026: Top Deals on 65-inch Smart TVs
  6. Best Thin and Light Laptops Under Rs. 70,000 for College Students in India
  1. Best Camera Phones Under Rs. 30,000 for Content Creators in India: Motorola Edge 70 Fusion, Galaxy F56, More
  2. Amazon Prime Day 2026: Best Deals on Smartphones Under Rs. 15,000
  3. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  4. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  5. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  6. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  7. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  8. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  9. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  10. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.