Facebook bug allowed people to delete photos

Problem has now been fixed, and the security researcher who found it received thousands of dollars for doing so

Andrew Griffin
Monday 16 February 2015 12:52 EST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Facebook photos could have been deleted with a small piece of code.

A security researcher found that a bug in the Graph API — which allows developers to make apps for the service — allowed apps to delete photos that were stored on the service.

The API is supposed to be banned from allowing such changes, in order to protect users’ data, but a bug in the code was found by researcher Laxman Muthiyah that allowed him to circumvent the API.

“What if your photos get deleted without your knowledge?” asked Muthiyah. “Obviously that's very disgusting isn't it?”

Muthiyah reported the bug to Facebook under its bug bounty programme, and it has now been fixed. The programme allows hackers to report problems in exchange for rewards, as long as they inform Facebook within good time and don’t exploit the problem before doing so.

Muthiyah received a $12,500 bounty for the problem he found, according to messages from the Facebook security team that he posted on his blog.

Facebook quickly identified the issue and there was a fix in place within two hours of the report being made, Muthiyah said.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in