An Indian security researcher has been awarded $12,500 by Facebook after discovering a ridiculously simple hack that could have wiped out vast numbers of photos on Facebook.
Using Facebook’s API and a mobile access token, Muthiyah used the following four-lines to request an album deletion for one of his albums:
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Facebook’s servers responded with a “true” message, indicating that the album had gotten wiped out. He then tried the same thing on “a victim’s” album.
“OMG :D the album got deleted!,” Muthiyah writes. “So I got access to delete all of your Facebook photos (photos which are public or the photos I could see) :P lol :D.”
Here’s a short screencast video he recorded that shows the hack in action:
Naked Security points out that Muthiyah could have “milked” his discovery and done a great deal of damage to Facebook and the photos of people around the world.
Instead, Muthiyah did the right thing. He immediately reported the issue through Facebook’s bug bounty program. The service fixed the bug in less than two hours and, after reviewing it, decided to award Muthiyah with $12,500 for his help.
Image credits: Header photo by Johan Larsson