Discovered (and fixed) a vulnerability that permits attacker to delete any photo album on Facebook



Laxman Muthiyah on his blog has published a post that explain a vulnerability on Facebook OpenGraph API, that permits an attacker to delete any photo album on Facebook.

FACEBOOK

Muthiyah immediatly reports the bug to Facebook: the vulnerability was fixed in less than 2 hour, and the researcher was rewarded with $12500 USD!

Reward

The exploit is very simple: this HTTP API request

DELETE /518171421550249 HTTP/1.1
Host :  graph.facebook.com 
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

made with a Access Token generated for Facebook Mobile App deletes the album #518171421550249 without any security check.

Here a video demonstration


Published: February 12 2015