A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.
Security Researcher Laxman Muthiyah told
The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted." DELETING FACEBOOK PHOTO ALBUMS
According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.
"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it?
Yeah and also it uses the same Graph API," he said. In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only.
However, Laxman discovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.
SAMPLE REQUEST
Request :-
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
source (www.thehackernews.com)
Post a Comment