After tech enthusiast Laxman Muthiyah in India uncovered a vulnerability that allowed him to delete “any photo album owned by an user or a page or a group” on Facebook and reported it, the social media giant decided to pay him a substantial $12,500 bounty for the discovery, according to a post on his blog 7xter.com.
While documentation from Facebook developers noted that photos can’t be deleted via album node in Graph API, which developers use to read and write user data, Muthiyah was able to determine from the cues provided in an error message that there would be a way to delete photos through “some other application [that] does have the capability to make this API call.”
He decided to try again using his Android and Facebook for mobile access token, which has a delete option and uses the same Graph API.
Once Muthiyah was able to also delete a victim’s album (plugging in the victim’s album I.D.) he alerted Facebook’s security team.
“There was a fix in place in less than 2 hours,” he wrote. And shortly thereafter he received a message from Facebook that he would receive an award and instructions for claiming the bounty through bugbountypayments.com.