A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.
using the Graph API to delete albums.
According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.
In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only. However, Laxman discovered that his own “access token” generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.
In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.
Proof of concept.
DELETE /<Victim’s_photo_album_id> HTTP/1.1
Host : graph.facebook.com