
Delete any Photo from Facebook by Exploiting Support Dashboard - costapopescu
http://arulxtronix.blogspot.in/2013/09/delete-any-photo-from-facebook-by.html
======
kristofferR
This guy was lucky to be proficient enough in English to recieve the bounty,
unlike this guy: [http://www.theverge.com/2013/8/18/4633046/facebook-
security-...](http://www.theverge.com/2013/8/18/4633046/facebook-security-bug-
let-anyone-post-on-walls)

~~~
Argorak
He might even get into Y combinator, if he tried.

There, I did it. Haha.

Can we stop beating dead horses, we all read Hacker News around here?

~~~
sp332
That was a dig at Facebook, not pg or YC.

~~~
Argorak
That was a complaint about the style of posting, not about pg, YC or Facebook.

------
lifeformed
Facebook should make a "Hack Me" profile for people to mess with, so they
don't have to use Zuckerberg's instead.

~~~
citricsquid
[https://www.facebook.com/whitehat/accounts/](https://www.facebook.com/whitehat/accounts/)

~~~
barrkel
That just gives out the same info as
[https://www.facebook.com/whitehat/](https://www.facebook.com/whitehat/),
unless (I speculate) you already have a Facebook account and are logged in.

~~~
remi
When logged in, it shows the test account dashboard:
[http://i.imgur.com/Wh72kJF.png](http://i.imgur.com/Wh72kJF.png)

------
singold
Maybe now we can delete our own facebook photos...

------
pearjuice
Is it still worth it to follow every link on Facebook and check the URLs/AJAX
requests whether the parameters can be tampered with? At Facebook's scale I
always assumed there would be someone full-time employed to do this. In fact,
I wouldn't mind if it was good paying. Just give me all the Facebook frontend
endpoints and I will go by them one-by-one. Manually. I will even document the
test cases and what could be intercepted, changed or can be improved in terms
of validation.

~~~
GuiA
Two people have done it publicly and successfully over the past month or so,
so yeah, I would argue that it might be worth it.

------
loceng
Facebook really doesn't test anything for security vulnerabilities before
pushing to production, do they?

~~~
ffk
They most likely do test for security vulnerabilities. However, the attack
surface and overall complexity is so large that things will slip by even with
the most rigorous testing.

For now, the best you can hope for is a layered defense and rigorous dev and
ops practices to help minimize the attack surface and reduce the overall
damage a single successful attack can achieve.

~~~
Robin_Message
Putting the user id in the request is obviously wrong, since the owner can
looked up from the photo id.

Automated testing/fuzzing could find this, but probably better
training/practices would be easier to get right and save time/money in the
long run.

~~~
bunkat
I think this is one of the things that Microsoft did a pretty good job with.
There is a security process in place that every product goes through for every
release. While it still can't catch everything, even the simplest of threat
models would have caught a bug like this.

While Facebook most likely does do some form of threat modeling for their main
site, without a rigid process for all code that goes public you'll run into
issues like this that are just as severe. Just because it's a mobile support
site for requesting photo removals doesn't mean it is less important surface
area in terms of security.

------
meatsock
wow that's a nice bounty for changing two parameters on the end of a URL.

~~~
terabytest
The exploit is easy, but the implications are very dangerous. Such an exploit
could have been automated to take down hundreds of photos before it was even
detected.

~~~
codesuela
nope, only thing this would've shown is that pictures aren't really deleted.
Think about it. Facebook would do a rollback and all the pictures would be
back. However with a little bad luck on their part they'd mess up which would
lead to them restoring rightfully deleted pictures (many of them
embarrassing). Would this have happened for sure? Probably not, but I strongly
believe that this could have ended hilariously and frankly I am a little
disappointed that the researcher was a white hat ;)

~~~
vinceguidry
Rolling back is a last-ditch effort, it often causes more problems than it
would cure. Sure you'd get the pictures back, but everything done in the
interrim would be deleted. And if he were a black hat, we'd have never heard
about this.

~~~
MichaelApproved
I can't imagine Facebook could roll anything back on their scale. Everything
touches so many things, it would be a nightmare to get done.

I'd imagine they'd find the accounts that were responsible for deleting the
pictures that weren't theirs (as this hack allowed to have happen) and restore
the pictures deleted by those accounts.

------
nivla
As I understand it, the exploit involves crafting a URL to send in a removal
request to the Facebook support. Wouldn't this count as social engineering or
were the removal requests automated?

Regardless, well done!

~~~
chairmankaga
It seems you can send a crafted URL to request the deletion of images owned by
Person A, to Person B. Cutting out any interaction from the original owner.

------
tomphoolery
Pretty sure Mark Zuckerberg has had his Facebook profile fucked with more than
anyone else, judging by all these disclosures I've been reading :)

