Many of us have dozens, hundreds or even thousands of photos logged on Facebook. A nefarious bug on the website -- that has since been mended -- would have allowed hackers to arbitrarily delete them.
A blogger named Laxman Muthiyah discovered the issue. It all came down to a rather brief bit of code:
Request :-
DELETE /(Victim's_photo_album_id) HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=(Your(Attacker)_Facebook_for_Android_Access_Token)
Just by inserting the photo album's ID number, Muthiyah was able to delete Facebook pictures that did not belong to him. A person on the other end of this code execution would have no idea why her pictures were suddenly gone.
This was all able to happen by exploiting Facebook's Graph API, which is the HTTP-based software that allows the website to function. Graph API requires a token to mess with someone's data, but Muthiyah tricked Facebook, using his own token, into deleting other people's pictures.
Muthiyah, being a decent human being, reported the massive flaw to Facebook immediately. For his trouble, he was rewarded a $12,500 bounty. Sometimes it pays to be nice -- literally.
Fear not: Those embarrassing photos from high school are safe. The issue has been resolved, according to Facebook. Of course, if this got out there before Facebook had a chance to fix house, the damage could have been far worse than $12,500.
BONUS: The illustrated story of Facebook