Muthiyah immediatly reports the bug to Facebook: the vulnerability was fixed in less than 2 hour, and the researcher was rewarded with $12500 USD!
The exploit is very simple: this HTTP API request
made with a Access Token generated for Facebook Mobile App deletes the album #518171421550249 without any security check.
Here a video demonstration
- OpenSSL Security Advisory, 3rd May 2016: Patch, Patch ASAP!
- Mazar BOT campaign in Denmark and Italy
- BadLock: let's take stock of situation!
- Save the Date: on April 12, 2016 a critical security bug on Windows and Samba will be disclosed
- Ransomware written in PHP attacks blogs and CMS?
- Undetected Mac malware sighted online: HackingTeam has returned?