//

0



A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.

Security Researcher Laxman Muthiyah told

The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted." DELETING FACEBOOK PHOTO ALBUMS

 According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.

 "I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it?

Yeah and also it uses the same Graph API," he said. In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only.

However, Laxman discovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.

SAMPLE REQUEST 
       Request :-

       DELETE /<Victim's_photo_album_id> HTTP/1.1

       Host : graph.facebook.com

       Content-Length: 245
       access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>


Facebook Bug Bounty program rewarded him with $12,500 USD for helping the Facebook Security team to patch this critical loophole.

source (www.thehackernews.com)

Post a Comment

 
Top