A design flaw in recent Facebook update FB5, let malicious users remove the profile pictures of other users and set back to the default Facebook profile picture.
The vulnerability was discovered by a security researcher Philippe Harewood who had early access to FB5. Earlier Zuckerberg said FB5 to bring the biggest change to the Facebook app and website.
With FB5 Facebook used “GraphQL” an open-source API query language to remove the profile picture from the Facebook fan page. GraphQL was used by Facebook mobile apps since 2012.
Harewood explains that the profile_picture_remove mutator is the graphical call responsible for showing specific mutation.