AP Photo/Manu Fernandez
Mark Zuckerberg Chairman and CEO of Facebook speaks during a conference at the Mobile World Congress, the world's largest mobile phone trade show in Barcelona, Spain, Monday, Feb. 24, 2014
$4 into thinking he was the owner of the photos - letting him delete them without warning. He gained access using the Graph API, Facebook's developer platform.
He tested it out with guinea pig account, and was able to easily remove its photos. "OMG :D the album got deleted!" $4. "So I got access to delete all of your Facebook photos (photos which are public or photos I could see) :P lol :D"
$4 that the glitch wouldn't have affected quite every photo on Facebook. It's possible to set albums to private so they can only be viewed by the uploader or a select group of pre-approved people. These wouldn't have been affected. But if Muthiyah could find it, he could delete it. It could be used to wipe profile pictures (which are automatically default), the photos of brands and public figures, and those of people who haven't locked down their privacy settings.
It's a major vulnerability, but instead of exploiting it, Muthiyah reported it to Facebook. And the company clearly took the issue seriously, issuing a fix in just two hours. The social network also gave Muthiyah $12,500 as a bounty for finding the bug - $4. It also $4.
Tech companies frequently give out cash bounties to security researchers who flag up vulnerabilities with their software. It gives people incentive to try and find bugs that official developers might have missed before they're identified by hackers and exploited.
$4 - pre-emptively paying them before they've actually found anything.
You can read Muthiyah's $4. He's has also put together a video showing how he did it: