Delete any Photo from Facebook by Exploiting Support Dashboard

Delete any Photo from Facebook by Exploiting Support Dashboard(arulxtronix.blogspot.in)

114 points by costapopescu 12 years ago | 31 comments

kristofferR 12 years ago |

This guy was lucky to be proficient enough in English to recieve the bounty, unlike this guy: http://www.theverge.com/2013/8/18/4633046/facebook-security-...

mistercow 12 years ago | |

Sounds to me like the big difference here is that this guy made a video when he couldn't communicate verbally (honestly seems like a smart way to do it even if American English is your first language; describing UI interactions verbally is generally pretty non-trivial). And critically, he did not actually use the exploit against another user. He just showed that he could have.

Argorak 12 years ago | |

He might even get into Y combinator, if he tried.

There, I did it. Haha.

Can we stop beating dead horses, we all read Hacker News around here?

sp332 12 years ago | | |

That was a dig at Facebook, not pg or YC.

Buge 12 years ago | |

The problem with that guy is that he didn't use a test account and tested it on a random girl without her permission.

lifeformed 12 years ago |

Facebook should make a "Hack Me" profile for people to mess with, so they don't have to use Zuckerberg's instead.

citricsquid 12 years ago | |

https://www.facebook.com/whitehat/accounts/

barrkel 12 years ago | | |

That just gives out the same info as https://www.facebook.com/whitehat/, unless (I speculate) you already have a Facebook account and are logged in.

singold 12 years ago |

Maybe now we can delete our own facebook photos...

pearjuice 12 years ago |

Is it still worth it to follow every link on Facebook and check the URLs/AJAX requests whether the parameters can be tampered with? At Facebook's scale I always assumed there would be someone full-time employed to do this. In fact, I wouldn't mind if it was good paying. Just give me all the Facebook frontend endpoints and I will go by them one-by-one. Manually. I will even document the test cases and what could be intercepted, changed or can be improved in terms of validation.

GuiA 12 years ago | |

Two people have done it publicly and successfully over the past month or so, so yeah, I would argue that it might be worth it.

loceng 12 years ago |

Facebook really doesn't test anything for security vulnerabilities before pushing to production, do they?

ffk 12 years ago | |

They most likely do test for security vulnerabilities. However, the attack surface and overall complexity is so large that things will slip by even with the most rigorous testing.

For now, the best you can hope for is a layered defense and rigorous dev and ops practices to help minimize the attack surface and reduce the overall damage a single successful attack can achieve.

Robin_Message 12 years ago | | |

Putting the user id in the request is obviously wrong, since the owner can looked up from the photo id.

Automated testing/fuzzing could find this, but probably better training/practices would be easier to get right and save time/money in the long run.

danielrmay 12 years ago | |

I think we can all agree that it's both a very difficult and a very large task to maintain an application with 500 million active users, let alone continue innovation and expansion.

Testing can only ever go so far - bugs and vulnerabilities exist everywhere, even in Facebook.

loceng 12 years ago | | |

With the resources they have access to, I'd say there's no real excuse - unless it's not a priority - which could very well be. Privacy only became a priority (which coincides with security) when Facebook started to regularly change people's privacy settings on them.

Argorak 12 years ago | |

Do you?

loceng 12 years ago | | |

I'm not there yet.

meatsock 12 years ago |

wow that's a nice bounty for changing two parameters on the end of a URL.

terabytest 12 years ago | |

The exploit is easy, but the implications are very dangerous. Such an exploit could have been automated to take down hundreds of photos before it was even detected.

codesuela 12 years ago | | |

nope, only thing this would've shown is that pictures aren't really deleted. Think about it. Facebook would do a rollback and all the pictures would be back. However with a little bad luck on their part they'd mess up which would lead to them restoring rightfully deleted pictures (many of them embarrassing). Would this have happened for sure? Probably not, but I strongly believe that this could have ended hilariously and frankly I am a little disappointed that the researcher was a white hat ;)

nivla 12 years ago |

As I understand it, the exploit involves crafting a URL to send in a removal request to the Facebook support. Wouldn't this count as social engineering or were the removal requests automated?

Regardless, well done!

chairmankaga 12 years ago | |

It seems you can send a crafted URL to request the deletion of images owned by Person A, to Person B. Cutting out any interaction from the original owner.

benmmurphy 12 years ago | |

it looks like the request goes to the person who posted the photo first. presumably so that person can delete the photo without getting support involved. it looks like the problem was you could control the profile_id so it was different from the profile that owned the photo.

tomphoolery 12 years ago |

Pretty sure Mark Zuckerberg has had his Facebook profile fucked with more than anyone else, judging by all these disclosures I've been reading :)