Hackers could have deleted any Facebook Album
According to security researcher Laxman Muthiyah, a hacker could delete any photo album, of a user or a group. The vulnerability was in the Facebook’s Graph API. He was rewarded $12,500 USD from Facebook. He surely deserves it, thank you for not letting it out for public before it wasn’t patched.
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API
In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app
The Sample Request Used
Request :-
DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
Don’t try it now, since it’s already been patched
How it was done
