How to hack Facebook photo album of every user

Pierluigi Paganini February 12, 2015

An Indian security expert Laxman Muthiyah exploited a vulnerability in Facebook Graph API mechanism to delete Facebook photo albums of every user.

A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated.

According the security expert Laxman Muthiyah the vulnerability resides in Facebook Graph API mechanism.

“a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.” said Laxman.

The Indian security researcher has discovered a way to delete Facebook photo albums of every Facebook users in a few seconds.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he explained.

The researcher discovered that by using his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any other Facebook User despite theoretically Facebook Graph API requires an access token to access and modify data.However, Muthiyah

“Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here. ” wrote Muthiyah in a blog post.

Facebook photo album

The researcher demonstrates that it is quite easy for an attacker to delete a the Facebook photo album from the victim’s Facebook account, the attacker only needs to send an HTTP-based Graph API request customized victim’s photo album ID. In this way the attacker’s own access token generated for ‘Facebook for android’ app.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.” said the researcher.

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response :- true
Album(518171421550249) got deleted :D so whats the next step? Took victim's album id and tried to delete it. I was very curious to see the result. 
Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response :-true
OMG :D the album got deleted! So i got the key to delete all of your Facebook photos :P lol :D "

Resuming a sample request is 

DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com 
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

Video POC

Facebook included the flaw discovered by the research in its Bug Bounty program rewarding him with $12,500 USD for reporting the flaw in Facebook photo album.

Pierluigi Paganini

(Security Affairs –  Facebook photo album, hacking)



you might also like

leave a comment