Facebook Vulnerability Allows Hacker to Delete Any Photo Album

Sunday, February 15, 2015

A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.

Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted."

DELETING FACEBOOK PHOTO ALBUMS

According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.

"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API," he said.

In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only. However, Laxman discovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.

In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.

SAMPLE REQUEST

Request :- DELETE /<Victim's_photo_album_id> HTTP/1.1 Host : graph.facebook.com Content-Length: 245 access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

VIDEO DEMONSTRATION