Home / Info Sec / Facebook flaw lets anyone to delete any Facebook photo without user interaction

Facebook flaw lets anyone to delete any Facebook photo without user interaction

What will you feel if your Facebook photos are removed without your knowledge? There is even no notifications when those are deleted.

It is exactly a security researcher “Arul Kumar” can do when he found a flaw in Facebook’s “Support Dashboard.” It then allow him to receive a bounty of $12,500 or approximately P555,000.

So how did the bug works?
From Arul’s blog.


The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

 Vulnerable URL/Parameter:


Changing the vulnerable parameter in the url above(in bold), it allows the hacker to receive any photo removal link directly to his inbox rather than the Facebook photo’s real owner.

Photo is deleted within minutes.

You can check the video embedded above or Arul’s blog post.

The vulnerability is considered critical since it operates – deleting any Facebook photo – without user interaction.

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D