According to the documentation mentioned here (https://developers.facebook.com/docs/graph-api/reference/v2.3/photo#deleting), app can delete a photo by following the stipulated conditions ...
- A user access token with
publish_actionspermission is required to remove a user's photos.
- A page access token or a user access token with
publish_pagespermissions is required to remove a Page's photos.
- A photo can only be removed by the same app that published it.
- We can delete a photo from a user's timeline using an user access token with
publish_actionspermissions, provided the photo was published by same app.
- We can delete a photo from a page using a page access token with
publish_pagespermissions, provided the photo was published by the same app.
- We can delete a photo from a page using an user access token with
publish_pagespermissions collectively, provided the photo was published by the same app.
Here, it allowed an app to delete a photo published on a page by the same app using an user access token with permissions
publish_pages. A simple permission check was missing. So, this contradicted the documentation.
Basically, to co-ordinate with the page, basic requirement is to get an access token with permissions
manage_pages. But it allowed me to do deal with pages without satisfying the basic requirement.
Proof Of Concept
- Post a photo on a page.
Request (Page access token with permissions
==Photo successfully published. ==
- Delete a photo from page.
Request(User access token with permissions
Photo successfully removed.
That's all! :-)
I would like to thank Facebook's Security Team for patching this issue swiftly.
Mar 26, 2015 1:17pm – Report Sent
Mar 27, 2015 6:14am – Escalation by Facebook
April 1, 2015 10:51am – Asked about confirmation of fix
April 1, 2015 8:31pm – Fixed confirmed by me
April 1, 2015 11:39pm – Bounty awarded by Facebook