+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

This guy got paid £8,000 for figuring out how to delete nearly every photo on Facebook

Feb 13, 2015, 17:16 IST

Advertisement

Facebook has paid a security researcher $12,500 (£8,121) for uncovering a bug that allowed him to delete any person's photos or albums on the social network, without their permission.

Naked Security reports that Laxman Muthiyah figured out a way to trick the social network into thinking he was the owner of the photos - letting him delete them without warning. He gained access using the Graph API, Facebook's developer platform.

He tested it out with guinea pig account, and was able to easily remove its photos. "OMG :D the album got deleted!" Muthiyah wrote on his site. "So I got access to delete all of your Facebook photos (photos which are public or photos I could see) :P lol :D"

Facebook reached out to Naked Security to clarify that the glitch wouldn't have affected quite every photo on Facebook. It's possible to set albums to private so they can only be viewed by the uploader or a select group of pre-approved people. These wouldn't have been affected. But if Muthiyah could find it, he could delete it. It could be used to wipe profile pictures (which are automatically default), the photos of brands and public figures, and those of people who haven't locked down their privacy settings.

It's a major vulnerability, but instead of exploiting it, Muthiyah reported it to Facebook. And the company clearly took the issue seriously, issuing a fix in just two hours. The social network also gave Muthiyah $12,500 as a bounty for finding the bug - according to ZDNet, it's one of the highest reward tiers available. It also publicly thanked him on the site.

Advertisement

Tech companies frequently give out cash bounties to security researchers who flag up vulnerabilities with their software. It gives people incentive to try and find bugs that official developers might have missed before they're identified by hackers and exploited.

Google has even begun offering grants to researchers - pre-emptively paying them before they've actually found anything.

You can read Muthiyah's complete explanation of the vulnerability on his site. He's has also put together a video showing how he did it:

NOW WATCH: A 13-Year-Old Made A Revolutionary Invention Out Of Legos And Now Intel Is Investing In His Company

Please enable Javascript to watch this video
You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article