Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability genuinely resides inwards Facebook Graph API mechanism, which allows "a hacker to delete whatever photograph album on Facebook. Any photograph album owned past times an user or a page or a grouping could survive deleted."
DELETING FACEBOOK PHOTO ALBUMS
According to Facebook developers documentation, its non possible to delete albums using the Graph API, but Indian safety researcher has constitute a agency to delete non only his own, but likewise others Facebook photograph albums inside few seconds.
"I decided to endeavour it amongst Facebook for mobile access token because nosotros tin dismiss run across delete selection for all photograph albums inwards Facebook mobile application isn't it? Yeah in addition to likewise it uses the same Graph API," he said.
In general, Facebook Graph API requires an access token to read or write users data, which gives express access to an app only. However, Laxman discovered that his ain "access token" generated for mobile version of Facebook could survive exploited to take away whatever photograph albums posted past times whatever Facebook User.
In lodge to delete a photograph album from victim’s Facebook account, the assailant exclusively needs to shipping a HTTP-based Graph API asking amongst victim’s photograph album ID in addition to attacker’s ain access token generated for ‘Facebook for android’ app.
SAMPLE REQUEST
Request :-
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
VIDEO DEMONSTRATION
Facebook Bug Bounty plan rewarded him amongst $12,500 USD for helping the Facebook Security squad to spell this critical loophole.
