Full Report
A Facebook hack that allowed attackers to remotely delete any photo they wanted to from the social network has been patched by the company.
Analysis Summary
# Vulnerability: Remote Photo Deletion via Facebook Graph API Abuse
## CVE Details
- CVE ID: Not explicitly stated in the article (Likely internal or patched before public tracking)
- CVSS Score: Not available
- CWE: Likely related to Authorization Bypass or Insecure Direct Object Reference (IDOR) within the Graph API.
## Affected Systems
- Products: Facebook (Social Networking Platform)
- Versions: Unspecified versions prior to the patch time (February 2015).
- Configurations: Exploited via interaction with the Facebook Graph API using an Android app token and a photo album ID.
## Vulnerability Description
The vulnerability resided in Facebook's Graph API, which is the HTTP-based interface used by the website for functionality. An attacker could construct a malicious request by combining the target victim's photo album ID with their own valid Android application token. This manipulation tricked the API into authorizing the attacker to delete photos belonging to the targeted victim without their knowledge or consent.
## Exploitation
- Status: Disclosed vulnerability (Not stated as exploited in the wild, but reported by a researcher).
- Complexity: Low (Required only a few lines of code, the target album ID, and an Android app token).
- Attack Vector: Network (Remote via API call).
## Impact
- Confidentiality: Partial (Ability to remove user data).
- Integrity: High (Direct modification/destruction of user-owned content).
- Availability: Medium (Availability of specific user photos/albums affected).
## Remediation
### Patches
- Facebook patched the exploit within two hours of the responsible disclosure. Specific patch versions are not mentioned.
### Workarounds
- Monitoring and rate limiting API calls were mentioned as potential mitigating security controls that could slow down abuse, though the primary fix was the vendor patch.
## Detection
- Indicators of compromise: Users reporting unexpected deletion of photos from their accounts.
- Detection methods and tools: Not explicitly detailed, though rate limiting API requests is suggested as a control measure.
## References
- Vendor Advisory: Facebook security team addressed the report internally and deployed a fix quickly.
- Relevant links:
- ESET write-up: hxxps://www.welivesecurity.com/en/?p=... (Article context only)
- Researcher report acknowledged: Mentioned researcher Laxman Muthiyah reported the issue.
- Bounty Awarded: Research rewarded with $12,500.