[WRITE-UP] Irremovable Facebook group album photos and entire album under certain circumstances (Bounty: 1000 USD)

Hi guys, it's Shubham Bhamare again. In this write-up, I'm going to tell you about one of my very simple Facebook bug which was found accidentally as I wasn't in the mood of testing at that time and was just browsing our business group on Facebook.

Due to this issue, Facebook group admin was unable to delete group album photos as well as entire album under certain circumstances.

So without wasting time, let's start! 👉


Setup and Scenario:

1) A Facebook group where only a page (ABC) is an admin.

2) An attacker (XYZ) is a Facebook user who's the member of above group.

Platform: Facebook Web


Reproduction steps:

1) From ABC's perspective, create an album in a group.

Creating an album in a group
Album created by ABC

2) From XYZ's perspective, add some photos to above album.

Adding photos to the album
Photo uploaded by group member (XYZ)

3) Now when ABC will try to delete that photos added by XYZ, there won't have any option to delete them. Even though ABC used other platforms like Android/iOS/Lite app, mobile site to delete that photos, it won't be possible.

There's no option to delete a photo uploaded by group member

ABC will only be able to delete his/her own photos. Being an admin of the group, he should be able to delete photos added by other group members. But there wasn't have any option at that time when I reported this issue.


Fix and Bypass:

Team fixed this issue by adding edit button on photos added by other group members. But when I was verifying the fix, I found that if group admin tried to delete entire album (if it includes photos of other members), he/she won't be able to delete it as it was showing an error message.

Delete Album button
Showing an error message while deleting entire album

Impact behind this 2nd issue was, if malicious member added thousand of inappropriate photos to album, then group admin won't be able to delete that entire album. He/she'll have to delete every photo one by one.

Also we can imagine what will happen if multiple group members added thousand of inappropriate photos to that album. 😁



1000 USD (500 USD for initial report and 500 USD for bypassing the fix or for finding 2nd issue)

1000 USD bounty awarded by Facebook



Apr 21, 2019: Report sent
Apr 24, 2019: Pre-triaged
Apr 27, 2019: Triaged
May 15, 2019: Fixed
May 16, 2019: Fix bypassed/2nd issue found
May 17, 2019: Fixed completely
May 17, 2019: 1000 USD bounty awarded



1) While browsing something (even though you're not in the mood of hunting), always observe whether something's working as intended or not.

2) Don't reveal your findings until you fully believe that there won't be any bypass for it. 😉 Check another endpoints/features too for similar issues.

3) Sometimes you just need logical thinking instead of any advanced tools or knowledge. Because Logic == Magic. 😊

4) If you're new to Facebook bug bounty, try to find logical bugs the most.


Thank you for reading! Stay tuned for my next write-up and don't forget to follow me on Facebook, Twitter, Instagram and Medium. 😊






Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

40,000,000 Catex Tokens (CATT) Locked Up

{UPDATE} Escape If You Can 4 Hack Free Resources Generator


{UPDATE} PocketNPC Hack Free Resources Generator

inSure DeFi Community Partners with Moralis to Power its Decentralized Insurance Ecosystem.

Broken authentication demystified

Broken authentication demystified

{UPDATE} Home Designer Match Blast Hack Free Resources Generator

How and Where to Buy FortKnoxster (FKX) — An Easy Step by Step Guide | Crypto Buying Tips


Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shubham Bhamare

Shubham Bhamare


More from Medium

My Pentest Log -13- (Bypass Renaming on File Upload)

XSS - The LocalStorage Robbery

AlbusSec:- Penetration-List 05 Cross-Site-Scripting (XSS) — Part 2

The story of 3 bugs that lead to Unauthorized RCE — Pascom Systems