Tommy DeVoss, a Facebook bug bounty hunter, couldn’t have asked for a better gift from Santa this Christmas. Last week, the social media giant paid him $5,000 for finding out a security vulnerability that gave him access to view the private email addresses of any Facebook user. “The hack allowed me to harvest as many email addresses as I wanted from anybody on Facebook,” DeVoss said. “It didn’t matter how private you thought your email address was – I could have grabbed it.” DeVoss discovered the vulnerability on Thanksgiving Day and reported it to Facebook via its bug bounty program, he said. Facebook said it would award DeVoss $5,000 for the discovery only after weeks of thorough verification of what the exact bug was and how it was abused. And finally, last Tuesday they did reward him. The bug was related to the user-generated Facebook Groups feature that allows any member to create an affinity group on the social network’s platform. DeVoss found out that he could invite any Facebook member as an administrator of a Facebook Group in order to have Admin Roles via Facebook’s system to do things such as add new members or edit post. Managed by Facebook, those invitations were sent not only to the invited recipient’s Facebook Messages inbox, but also to the Facebook user’s email address linked to their account. Users in several cases choose to keep their email addresses private. Even though privacy settings were set by Facebook members, DeVoss found out that he was able to gain access to any Facebook user’s email address whether he was Friends with them or not. However, DeVoss found a bug when he cancelled pending invitations to those invited to be Facebook Group Administrators. “While Facebook waits for the confirmation, the user is forwarded to a Page Roles tab that includes a button to cancel the request,” he said. Next, he moved over to Facebook’s mobile view of the Page Roles tab. It was here that DeVoss was able to view the complete email addresses of anyone he wanted to cancel from becoming a Facebook Group Administrator. “I noticed that when you clicked to cancel the administrator invitation on the mobile page, you were redirected to a page with the email address in the URL,” he said. “Now all you have to do is pluck the plaintext version of the confidential email address straight from the URL.” In a blog post describing his discovery, he wrote that the effect of this vulnerability could be diverse. “Harvesting email addresses this way contradicts Facebook’s privacy policy and could lead to targeted phishing attempts or other malicious purposes.” Confirming the hack, Facebook said that it has no proof that the vulnerability was ever exploited. It also said that has implemented a fix to stop the bug from being abused. DeVoss, a software developer in Virginia, said this is the biggest bug bounty payment he has ever received. He takes part in a number of bug bounty programs including Yahoo’s and the Hack the Pentagon program, he told Threatpost. On the other hand, Facebook in October had announced that ever since it implemented its bug bounty program five years ago, it has paid out more than $5 million to 900 researchers. It paid out $611,741 to 149 researchers in the first half of 2016 alone, said the company.