A security researcher recently made seriously startling discovery. With just four lines of code, he could delete any photo album on Facebook. Mark Zuckerberg's wedding photos? Zap. Seun Osewa's profile pics? Gone. Your graduation album? Lost forever. Lucky for you, he decided to report the bug to Facebook, which promptly cut him a check.

The anti-Facebook super-weapon was no more than a four line HTTP request:
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Facebook_for_Android_Access_Token>

So long as he had the photo album id and permission to view the album he could delete it. Facebook album IDs are numeric, which means that guessing them is easy - you start with 1 and just keep going up.

Laxman Muthiyah could've done a lot of damage with this precious knowledge. Since the album ID numbers are sequential, he could've built a bot to go through and systematically delete everyone's albums. Or held Facebook hostage in order to get a big bounty.

"He could have milked it," says blogger Mark Stockley, "kept his discovery under wraps (giving somebody less upstanding a chance to find it), engaged a PR firm and given it a fancy name." But he didn't; Laxman reported the bug to Facebook like some white hat hacker prince.

The bug is now completely fixed. Guess how much Facebook paid him for being a hero: $12,500. Maybe Facebook should tack a zero onto the end of that sum and just hire Laxman to come and work for its security team. They clearly need the help.

Read the full article here: http://www.gizmodo.co.uk/2015/02/some-guy-figured-out-how-to-delete-every-photo-on-facebook/


Considering the PR catastrophe Facebook would have suffered if this has gotten into wrong hands, do you think they should have payed him more??

Catchy...he was nice to a fault..
Point taken

Yep,they should have paid way more.

That money is chicken change compared to Facebook' s net worth. They should have given hin employment with a mouth watering income.