A dangerous bug that can make deletion of photos possible in facebook has been discovered by software engineer Laxman Muthiyah. This finding prompted the social network to patch the hole within two hours.
The software engineer got lump sum amount as reward from facebook for the biggest bug-spotting ever happened in the history of social network.
Facebook has so far awarded 19 bug hunters this year. The bug was Muthiyah’s
third to be reported since 2013.
“I got the key to delete all of your Facebook photos.”, Muthiyah said.
The bug allows a potential attacker delete photo album, a page or a group using his Facebook Android app token and the id of a target album. security controls like rate limiters can stop any scripts that try this trick.
Facebook claimed that one cannot delete albums using the Graph API, one that
allows developers to read and write the users data.
According to experts one can delete photos with a few lines of code and a phone or a Raspberry Pi. The code can even run on a digital watch.
Laxman Muthiyah published an youtube video explaining the vulnerability.