A Facebook security flaw that could have paved the way for hackers to delete users' photo albums has won the researcher who discovered it an 8,000 bounty.
Lakshman Muthiyah, a researcher based in Tamil Nadu, said he was experimenting with the Facebook Graph API that allows developers to read and write data in Facebook applications, when he discovered he could send a "delete" function to a Facebook for Mobile application using the API that allowed him to delete any photo album on the site.
"This post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted," Muthiyah said, in a blog post.
"I immediately reported this bug to the Facebook security team. They were too fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report."
Facebook said in a statement: "We received a report about an issue with our Graph API and quickly fixed it."
The majority of Facebook bugs are uncovered by Indian security researchers, while the UK, Turkey and Germany come next in the charts. The company has been known to pay bounties up to 13,000 and to date, it has paid out over 1m to more than 300 researchers.
At the beginning of the month, Google announced it would be launching the Vulnerability Research Grants scheme, offering enhanced bounties for security researchers uncovering bugs on all its platforms, including within Google-developed Android apps.
Google security engineer Eduardo Vela Nava said on the company's blog: "We'll publish different types of vulnerabilities, products and services for which we want to support research beyond our normal vulnerability rewards.
"We'll award grants immediately before research begins, with no strings attached. Researchers then pursue the research they applied for, as usual. There will be various tiers of grants, with a maximum of $3,133.70."
