

Facebook refuses again to pay exploit bounty - tailbalance
http://ehrazahmed.blogspot.in/2013/09/exploit-for-removing-any-account-from.html

======
sgrenfro
I'm a software engineer at Facebook working on security and privacy. This is
simply a hoax. The html source shown in the video clearly says "No test user
was deleted". We've verified in our logs that the victim account was manually
deactivated by visiting
[https://www.facebook.com/deactivate.php](https://www.facebook.com/deactivate.php).
Anyone can visit
[https://www.facebook.com/whitehat/accounts/](https://www.facebook.com/whitehat/accounts/)
and verify that the query parameter used by this endpoint is
selected_test_users not selected_users. We've also audited our code to verify
that there's no variant of this exploit that works against that endpoint or
any other that we've found. In fact, the most recent code change to this
endpoint was in April and was routine maintenance that had no security
implications.

------
floor_
Hope he doesn't try to prove his point like the other guy did with Zucker's
account.

