A new Facebook vulnerability that allows any user to delete anyones Facebook Photo AlbumsProof of ConceptVideo of the bug
Laxman Muthiyah, the researcher who discovered the bug states on his blogpost, Laxman says the bug in Facebook Graph API mechanism allows any potential hacker/user to delete your complete Facebook photo album without having authentication. Laxman exploited the bug in the Graph API to first experiment in deleting his own photo albums without authorisation token and later on proceeded to try it on other users and found that he was able to do it without a hitch and that too within few seconds. Laxman used the authorisation token generated for mobile version of Facebook and exploited the bug to delete a photo album from victim’s Facebook account. Laxman explained that, an potential hacker would only need to send a HTTP-based Graph API request with victim’s photo album ID. The API response he used is given below : “Album(518171421550249) got deleted 😀 so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result,” Laxman adds. Response :- true
Proof of Concept
Laxman has said that the Facebook security team immediately recognized the vulnerability PoC sent by him to them and patched the bug. He also added that Facebook has awarded him a bug bounty of $12,500 for discovering the bug. Response :- true
Video of the bug
The video of the PoC published by Laxman on YouTube is given below :