Researcher bags £8k reward for finding Facebook album delete flaw

Facebook keyboard

A Facebook security flaw that could have paved the way for hackers to delete users' photo albums has won the researcher who discovered it an 8,000 bounty.

Lakshman Muthiyah, a researcher based in Tamil Nadu, said he was experimenting with the Facebook Graph API that allows developers to read and write data in Facebook applications, when he discovered he could send a "delete" function to a Facebook for Mobile application using the API that allowed him to delete any photo album on the site.

"This post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted," Muthiyah said, in a blog post.

"I immediately reported this bug to the Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report."

Facebook said in a statement: "We received a report about an issue with our Graph API and quickly fixed it."

The majority of Facebook bugs are uncovered by Indian security researchers, while the UK, Turkey and Germany come next in the charts. The company has been known to pay bounties up to 13,000 and to date, it has paid out over 1m to more than 300 researchers.

At the beginning of the month, Google announced it would be launching the Vulnerability Research Grants scheme, offering enhanced bounties for security researchers uncovering bugs on all its platforms, including within Google-developed Android apps.

Google security engineer Eduardo Vela Nava said on the company's blog: "We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards.

"We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70."

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.