Facebook has paid a security researcher $US12,500 (£8,121) for uncovering a bug that allowed him to delete any person’s photos or albums on the social network, without their permission.
Naked Security reports that Laxman Muthiyah figured out a way to trick the social network into thinking he was the owner of the photos — letting him delete them without warning. He gained access using the Graph API, Facebook’s developer platform.
He tested it out with guinea pig account, and was able to easily remove its photos. “OMG :D the album got deleted!” Muthiyah wrote on his site. “So I got access to delete all of your Facebook photos (photos which are public or photos I could see) :P lol :D”
Facebook reached out to Naked Security to clarify that the glitch wouldn’t have affected quite every photo on Facebook. It’s possible to set albums to private so they can only be viewed by the uploader or a select group of pre-approved people. These wouldn’t have been affected. But if Muthiyah could find it, he could delete it. It could be used to wipe profile pictures (which are automatically default), the photos of brands and public figures, and those of people who haven’t locked down their privacy settings.
It’s a major vulnerability, but instead of exploiting it, Muthiyah reported it to Facebook. And the company clearly took the issue seriously, issuing a fix in just two hours. The social network also gave Muthiyah $US12,500 as a bounty for finding the bug — according to ZDNet, it’s one of the highest reward tiers available. It also publicly thanked him on the site.
Tech companies frequently give out cash bounties to security researchers who flag up vulnerabilities with their software. It gives people incentive to try and find bugs that official developers might have missed before they’re identified by hackers and exploited.
Google has even begun offering grants to researchers — pre-emptively paying them before they have actually found anything.
You can read Muthiyah’s complete explanation of the vulnerability on his site. He’s has also put together a video showing how he did it: