A new Facebook vulnerability that allows any user to delete anyones Facebook Photo Albums

A new Facebook vulnerability that allows any user to delete anyones Facebook Photo Albums

An India based security researcher has discovered a critical vulnerability in Facebook which would have allowed anyone to delete any Facebook Photo Albums without authentication token.

Laxman Muthiyah, the researcher who discovered the bug states on his blogpost,

Obviously that’s very disgusting isn’t it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.

Laxman says the bug in Facebook Graph API mechanism allows any potential hacker/user to delete your complete Facebook photo album without having authentication.

Laxman exploited the bug in the Graph API to first experiment in deleting his own photo albums without authorisation token and later on proceeded to try it on other users and found that he was able to do it without a hitch and that too within few seconds.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he said.

Laxman used the authorisation token generated for mobile version of Facebook and exploited the bug to delete a photo album from victim’s Facebook account.

Laxman explained that, an potential hacker would only need to send a HTTP-based Graph API request with victim’s photo album ID.

The API response he used is given below :

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response :-
true

“Album(518171421550249) got deleted 😀 so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result,” Laxman adds.

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response :-
true

Proof of Concept

Request :-
DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

Laxman has said that the Facebook security team immediately recognized the vulnerability PoC sent by him to them and patched the bug.   He also added that Facebook has awarded him a bug bounty of $12,500 for discovering the bug.

Indian researcher discovers a new Facebook vulnerability that allows any user to delete Facebook Photo Albums
This is the response you will get if you try to exploit the bug now

Video of the bug

The video of the PoC published by Laxman on YouTube is given below :

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here