Stephen just need your user ID, he can hack into your account and read private messages, view email addresses, create or delete notes, on top of that he can update status and upload photos and tag you friends, on behalf you.

Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts."A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID" Stephen explained in hisThe Facebook REST API is said to be predecessor of Facebook’s current Graph API. He managed to send request to server using this API such that it will update status on behalf of victim.Stephen found this bug in April 23 and reported to Facebook. After getting notification, Facebook permanently fixed the bug on April 30th. Facebook awarded $20,000 bounty to him for finding and reporting this bug.