"Any photo album owned by an user or a page or a group could be deleted," said Muthiyah, though he clarified later "photos which are public or the photos I could see," implying private photos as well if the attacker had permission to view the album. Security firm Sophos adds, "So long as [Muthiyah] had the photo album ID and permission to view the album he could delete it... Facebook album IDs are numeric, which means that guessing them is easy - you start with 1 and just keep going up. "
This was essentially a Graph API flaw in Facebook Android app which potentially allowed a target album to be deleted with its numbered ID. Facebook was quick to response on the reported vulnerability by Muthiyah and offered him $12,500 (approximately Rs. 7.76 lakhs) through Facebook's bug bounty program.
So how did that happen?
According to Muthiyah, while Facebook notes that its photo albums cannot be deleted using the album node in Graph API, he tried to delete one of his own photo albums with a Facebook for mobile access token using the same Graph API and it got deleted.
"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API. so took a album id & Facebook for Android access token of mine and tried it," notes Muthiyah.
But when he tried the same for some other person's photo album with its album ID, it got deleted as well, "So, what's the next step? Took victim's album ID and tried to delete it. I was very curious to see the result. OMG the album got deleted!"
Luckily the bug has been fixed by Facebook, and Muthiyah played a true altruist by not trying to profit by it. Muthiyah said he "immediately reported this bug to Facebook security team." "They were too fast in identifying this issue and there was a fix in place in less than two hours from the acknowledgement of the report," he added.
Later, a Facebook representative also issued a statement on company's behalf, stating(via Sophos' Nakedsecurity blog), "We received a report about an issue with our Graph API and quickly fixed it within two hours of verifying the claims. To be clear, triggering this issue would have required knowledge of the ID of the target photo album, as well as permission to view the album based on the album's privacy settings. We'd like to thank the researcher who reported the issue to us through our bug bounty program."