Skip to main content

Facebook vulnerability puts your photos at risk

Like it or not, Facebook has become almost ubiquitous in today's world. Most people you know, both young and old, are on there.

Worse, some folks keep memories of their lives stored on the service, including precious photos that, in some cases, may not be backed up in any way. It feels safe, after all, Facebook wouldn't lose them, right? Not so fast.

This is less about Facebook losing them, I'm sure it has backups, but more about a third-party taking them away. That sounds scary, but a security researcher has proven it's possible. Laxman Muthiyah posted (opens in new tab) his findings along with details of how the exploit works.

Essentially he utilised the Graph API to accomplish both deletion of his own album and then that of a "victim". Though Facebook claims this isn't possible, it is quite the opposite case and proof is posted for everyone to see.

The token generated should only grant limited access, however generating a token for the mobile version of the social network changed things.

"The album got deleted! So I got the key to delete all of your Facebook photos", Muthiya calmly states. Of course he won't do this, he's only proving a point. But that point should be acted upon quickly by the service because, now that it's out there, someone will certainly begin using it "just for fun", right?

Well, no. Fortunately, it has been fixed, so the need to worry about this is no longer a concern. Facebook also awarded Mr. Muthiyah $12,500 (£8,000) for finding the flaw. Kudos for acting quickly.

Photo credit: 1000 Words (opens in new tab) / Shutterstock (opens in new tab)