pranav

Pranav Hivarekar

NOOB | SECURITY RESEARCHER | PUBLIC SPEAKER

Facebook's API Bug - Delete a photo posted on a page using an `user access_token` withOUT `manage_pages` permissions

Posted by Pranav Hivarekar on Apr 01, 2015

Description

According to the documentation mentioned here (https://developers.facebook.com/docs/graph-api/reference/v2.3/photo#deleting), app can delete a photo by following the stipulated conditions ...

  1. A user access token with publish_actions permission is required to remove a user's photos.
  2. A page access token or a user access token with manage_pages, publish_pages permissions is required to remove a Page's photos.
  3. A photo can only be removed by the same app that published it.

eg.

  1. We can delete a photo from a user's timeline using an user access token with publish_actions permissions, provided the photo was published by same app.
  2. We can delete a photo from a page using a page access token with publish_pages permissions, provided the photo was published by the same app.
  3. We can delete a photo from a page using an user access token with manage_pages and publish_pages permissions collectively, provided the photo was published by the same app.

Here, it allowed an app to delete a photo published on a page by the same app using an user access token with permissions publish_pages. A simple permission check was missing. So, this contradicted the documentation.

Basically, to co-ordinate with the page, basic requirement is to get an access token with permissions manage_pages. But it allowed me to do deal with pages without satisfying the basic requirement.

Proof Of Concept

  • Post a photo on a page.

Request (Page access token with permissions manage_pages, publish_pages)

POST /586241061522683/photos?access_token=redacted

Response

{
"id": "652967904849998",
"post_id": "586241061522683_652967914849997"
}

==Photo successfully published. ==

  • Delete a photo from page.

Request(User access token with permissions publish_pages without manage_pages)

DELETE /652967904849998/?access_token=redacted

Response

{
"success": true
}

Photo successfully removed.

That's all! :-)

I would like to thank Facebook's Security Team for patching this issue swiftly.

Timeline

Mar 26, 2015 1:17pm – Report Sent
Mar 27, 2015 6:14am – Escalation by Facebook
April 1, 2015 10:51am – Asked about confirmation of fix
April 1, 2015 8:31pm – Fixed confirmed by me
April 1, 2015 11:39pm – Bounty awarded by Facebook