Flaw would have allowed any user to delete any Facebook photo album
Facebook has awarded an Indian security researcher $12,500 (£8,121) for discovering a bug that allowed anyone to surreptitiously delete another user’s photo album on the social network.
Lakshman Muthiyah, a researcher based in Tamil Nadu, said he discovered the flaw while experimenting with Graph API, an application programming interface (API) for reading and writing user data in Facebook applications.
He found that sending a “delete” request from the Facebook for Mobile application, which uses Graph API, allowed him to erase any photo album.
“I immediately reported this bug to the Facebook security team,” Muthiyah wrote. “They were too fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report.”
Facebook confirmed that Muthiyah had reported the issue through its bug bounty programme.
“We received a report about an issue with our Graph API and quickly fixed it,” the company stated.
India is, after the US, the country from which the most Facebook bug research originates, followed by the UK, Turkey and Germany, according to the company. A similar album-deleting bug was reported by Indian researcher Arul Kumar in 2013, who also received a $12,500 bounty.
The company said 329 researchers have received payments amounting to more than $1m in the past two years through the bounty programme, with the largest single payment being $20,000. Facebook last year doubled its bounty for finding flaws in advertising code.
Other major high-tech companies also offer bounty programmes, including Microsoft, Google and Mozilla.
Google earlier this month said it would begin paying researchers up-front to hunt for flaws in high-profile software and services.
Are you a security pro? Try our quiz!