A Facebook hack that allowed attackers to remotely delete any photo they wanted to from the social network has been patched by the company.
Muthiyah outlined the steps needed to delete photos remotely in a blog post on his site, explaining that as soon as he found the problem, he reported the issue to Facebook’s security team. The exploit was completed with just a few short lines of code which required nothing more than the photo album ID of the targeted victim, and an Android app token, reports The Register.
By inserting these into a short line of code, an attacker would be able to delete Facebook photos belonging to anyone. Those who owned the photographs would have no knowledge of why their content had vanished from the site, and no trace would be left.
The trick exploited Facebook’s Graph API – HTTP-based software that the website uses to function. By using his own token, Muthiyah was able to fool the site into allowing him to manipulate photos that didn’t belong to him.
The exploit had limitations of course: firstly as it required a photo album ID, the attacker would need to be able to see the albums in the first place. Secondly as The Register observes, “any scripts to pull off this trick could be stopped by security controls like rate limiters,” which would mean large scale abuse of the exploit would be extremely time consuming.
So far this year, Facebook has thanked 19 bug hunters. This was Muthiyah’s third reported exploit since 2013.