Table Of Contents
A new Facebook vulnerability that allows any user to delete anyones Facebook Photo Albums
An India based security researcher has discovered a critical vulnerability in Facebook which would have allowed anyone to delete any Facebook Photo Albums without authentication token.
Laxman Muthiyah, the researcher who discovered the bug states on his blogpost,
Obviously that’s very disgusting isn’t it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.
Laxman says the bug in Facebook Graph API mechanism allows any potential hacker/user to deleteย your complete Facebook photo album without having authentication.
Laxman exploited the bug in the Graph API to first experiment in deleting his own photo albums without authorisation token and later on proceeded to try it on other users and found that he was able to do it without a hitch and that too within few seconds.
“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he said.
Laxman used the authorisation token generated for mobile version of Facebook and exploited the bug to delete a photo album from victimโs Facebook account.
Laxman explained that, an potential hacker would only need to send a HTTP-based Graph API request with victimโs photo album ID.
The API response he used is given below :
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>Response :-
true
“Album(518171421550249) got deleted ๐ so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result,” Laxman adds.
Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>Response :-
true
Proof of Concept
Request :-
DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
Laxman has said that the Facebook security team immediately recognized the vulnerability PoC sent by him to them and patched the bug. ย He also added that Facebook has awarded him a bug bounty ofย $12,500 for discovering the bug.
Video of the bug
The video of the PoC published by Laxman on YouTube is given below :