The vulnerability did require that had permission to view the album in the first place. This meant that could effectively delete photo albums from any other user without that user’s consent.
The request was accepted and processed without a problem. To take things a step further, sent the same requests, but changed the user’s ID to a victim account he had set up. This actually worked, and resulted in his photo album being deleted. This time he used a token from the Facebook for Mobile application. He decided to send the same request with a different token. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application. It seemed that Facebook was correct and the API was unable to delete photos. The application didn’t have the correct permissions to be able to perform that action. He started by sending a command to delete one of his own albums using a graph explorer access token. At least, it’s not supposed to be able too.
For example, the API is unable to delete users’ photo albums. Many apps use this API, but there are limitations to what it can do. The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. It didn’t take much for to find one worthy of a bounty. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. Was poking around Facebook looking for security vulnerabilities.
0 kommentar(er)
