A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated.
According the security expert Laxman Muthiyah the vulnerability resides in Facebook Graph API mechanism.
“a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.” said Laxman.
The Indian security researcher has discovered a way to delete Facebook photo albums of every Facebook users in a few seconds.
“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he explained.
The researcher discovered that by using his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any other Facebook User despite theoretically Facebook Graph API requires an access token to access and modify data.However, Muthiyah
“Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here. ” wrote Muthiyah in a blog post.
The researcher demonstrates that it is quite easy for an attacker to delete a the Facebook photo album from the victim’s Facebook account, the attacker only needs to send an HTTP-based Graph API request customized victim’s photo album ID. In this way the attacker’s own access token generated for ‘Facebook for android’ app.
“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.” said the researcher.