The security researcher, Stephen Sclafani, has discovered a critical vulnerability in the popular social networking site, Facebook, which allows him to violate any account.
Stephen just needs it name user to hack into an account and read mail, view email addresses, create or delete notes etc.
As he explains in his blog, an incorrect setting at the endpoint makes it possible to make legitimate REST API calls to each user on Facebook, using only their user name.
Facebook REST API is said to be the predecessor of the available Graph API. He managed to send a request to the server using this API to update the status of the victim's account.
Stephen discovered this vulnerability on April 23 and reported it on Facebook. After the update Facebook temporarily fixed it error on April 30th. Facebook rewarded the researcher with a $ 20.000 reward for finding and reporting the bug.
