Facebook has paid an Indian security researcher $12,500 (~£8,120) for discovering a major bug on its social platform which would have otherwise allowed hackers to delete almost any photo on the network without the owner's permission. The researcher, Laxman Muthiyah accomplished this feat by using the Graph API, Facebook's developer platform, and tricking Facebook into thinking that he was the owner of all the photos, which subsequently granted him permission to delete any photo on the social network.
To fully test his discovery, Muthiyah created a temporary Facebook account and then successfully deleted an entire photo album from it, as he states on his blog:
OMG :D the album got deleted! So i got access to delete all of your Facebook photos (photos which are public or the photos i could see) :P lol :D
Instead of exploiting this rather major vulnerability, Muthiya did the right thing and immediately notified Facebook of the issue, who reportedly fixed it within the next two hours.
Facebook publicly thanked Muthiyah for discovering the bug and rewarded him with $12,500 - one of the highest tiers for White hat hackers as a 'bug bounty'.
The vulnerability did have its limitations though, Facebook clarified that Muthiyah did not gain permission to delete all the photos on the social platform, he only accessed the rights to delete 'public' photos. However, if the researcher had the URLs to private photos, he could also have wiped them off the social platform.