Discovered (and fixed) a vulnerability that permits attacker to delete any photo album on Facebook

Laxman Muthiyah on his blog has published a post that explain a vulnerability on Facebook OpenGraph API, that permits an attacker to delete any photo album on Facebook.


Muthiyah immediatly reports the bug to Facebook: the vulnerability was fixed in less than 2 hour, and the researcher was rewarded with $12500 USD!


The exploit is very simple: this HTTP API request

DELETE /518171421550249 HTTP/1.1
Host : 
Content-Length: 245

made with a Access Token generated for Facebook Mobile App deletes the album #518171421550249 without any security check.

Here a video demonstration

Published: February 12 2015