How to hack Facebook photo album of every user

Posted on

A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated.

According the security expert Laxman Muthiyah the vulnerability resides in Facebook Graph API mechanism.

“a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.” said Laxman.

The Indian security researcher has discovered a way to delete Facebook photo albums of every Facebook users in a few seconds.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he explained.

Facebook vulnerability  hack accounts
Facebook vulnerability hack accounts

The researcher discovered that by using his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any other Facebook User despite theoretically Facebook Graph API requires an access token to access and modify data.However, Muthiyah

“Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here. ” wrote Muthiyah in a blog post.

The researcher demonstrates that it is quite easy for an attacker to delete a the Facebook photo album from the victim’s Facebook account, the attacker only needs to send an HTTP-based Graph API request customized victim’s photo album ID. In this way the attacker’s own access token generated for ‘Facebook for android’ app.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.” said the researcher.

Source:http://securityaffairs.co/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s