A critical vulnerability on Facebook has been discovered by the security researcher which allow him to delete anyone's complete photo album and that also without the victim authentication. This was critical security bug on Facebook which was recently reported by the India security researcher.
Researcher Laxman Muthiyah, was person behind it who discovered this security issue. Laxman explained that the bug was resides in the Graph API, which allow him to delete any photo's album of any facebook users, even of fan page or facebook group.
On the blog post Laxman wrote that, Facebook developers documentation reveals that, photo albums cannot be deleted using the album node in Graph API. But then also he tried to delete his own photo album using graph explorer access token. On testing this he had got the error message which reads - Application does not have the capability to make this API call.
In response to the error message that he got, he made some tweaks and once again tried the same, but this time he use Facebook for Mobile access token. Laxman noted - we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API.
As on Facebook for mobile, there is no option to delete photo album, so he took the Album ID and Facebook for android access token, and send the same HTTP delete request to the facebook server. This was all done, as Facebook have completed the request successfully.
So to deleted photos album of any users, he just need to send a HTTP request with the victim photo album ID, which allow him to deleted any users photo albums.
For the proof-of-concept researcher have demonstrated the process in a video, which you can see below.
He reported the bug to Facebook security team, and within 24 hours Facebook team had patched the vulnerability and in response to the Facebook Bug Bounty program, he was rewarded with $12,500 monetary reward.
Researcher Laxman Muthiyah, was person behind it who discovered this security issue. Laxman explained that the bug was resides in the Graph API, which allow him to delete any photo's album of any facebook users, even of fan page or facebook group.
In response to the error message that he got, he made some tweaks and once again tried the same, but this time he use Facebook for Mobile access token. Laxman noted - we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API.
As on Facebook for mobile, there is no option to delete photo album, so he took the Album ID and Facebook for android access token, and send the same HTTP delete request to the facebook server. This was all done, as Facebook have completed the request successfully.
So to deleted photos album of any users, he just need to send a HTTP request with the victim photo album ID, which allow him to deleted any users photo albums.
For the proof-of-concept researcher have demonstrated the process in a video, which you can see below.