$12,500 for Reporting Facebook Bug That Allowed You To Delete Anyone’s Photos

/ 2 years ago


Researcher Laxman Muthiya discovered that Facebook had extraordinarily simple bug that essentially gave anyone the ability to delete any photo on Facebook. Literally, any photo – this could have given someone the ability to delete every single photo on Facebook.

The bug used Facebook’s Graph API, which basically allows anyone to delete an entire photo album with one command. That of course only applies to the photos that belong to you and are in your account – not photos from other accounts. However, using the mobile version of that API, the following command was all it took to instantly wipe pretty much anyone’s Facebook photos.

Request :-
DELETE /518171421550249 HTTP/1.1
Host : 
Content-Length: 245
access_token= facebook_for_android_access_token

Now there’s quite a few people who would have taken this as quite an opportunity to cause some mayhem. It could have developed into a massive problem for Facebook all over the world, except Muthiya decided against that and did the right thing – he reported it to Facebook. The company kindly gave him $12,500 for his discovery.

Source: The Verge

Topics: , , , ,