The latest Facebook bug bounty went to a web developer who discovered a bug that let him delete any photo album from the network. Laxman Muthiyah an Indian received a bounty of $12,500 for reporting the album-deleting bug.After two hours, Facebook got back to Muthiyah to let him know that the bug had been fxed and offered him the bounty.The bug would target Facebook’s Graph API, which lets users delete their own photo albums by clicking “delete album.”
Once Muthiyah discovered the bug he tried deleting one of his albums and after being successful he reported it to Facebook’s technical support team.In a blogpost titled, ‘How I Hacked Your Facebook Photos’, Muthiyah has explained in detail how the bug, that can delete a Facebook user’s photos, actually works.
IT security company Sophos also points out in its Naked Security blog, Facebook album IDs are numeric, making them easy to guess. This means an attacker could have run a script to generate random album IDs and delete entire albums without the users knowing about it.