Facebook is the revolutionary social networking site with billions of users globally. Facebook allows the users to upload photos and create their own album. Recently a new vulnerability has been discovered in Facebook that allows anyone to delete anyone's photo album.
An Indian Security Researcher Laxman discovered the vulnerability and this resides in Facebook Graph API mechanism. According to Facebook developers it is not possible to delete an album using Graph API but the Indian proved it wrong. He not only deleted his own album but also others.
Facebook Graph API requires an access token to read or write user data. He discovered that his own " access token " generated for mobile version of Facebook could be exploited to remove any photo albums posted by any user.
The attacker needs to send a HTTP-based Graph API request with victim's photo album ID and attacker's access token generated for 'Facebook for android' app. The sample request is as
Request :
DELETE /<victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length : 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
He explained this vulnerability to Facebook and under Facebook Bug Bounty Program he was awarded with $12,500 USD for this vulnerability discovery.
P.S : The post is to create awareness and not to be misused.
No comments:
Post a Comment