[Robin_Message]

Putting the user id in the request is obviously wrong, since the owner can looked up from the photo id.

Automated testing/fuzzing could find this, but probably better training/practices would be easier to get right and save time/money in the long run.

[bunkat]

I think this is one of the things that Microsoft did a pretty good job with. There is a security process in place that every product goes through for every release. While it still can't catch everything, even the simplest of threat models would have caught a bug like this.

While Facebook most likely does do some form of threat modeling for their main site, without a rigid process for all code that goes public you'll run into issues like this that are just as severe. Just because it's a mobile support site for requesting photo removals doesn't mean it is less important surface area in terms of security.

[MichaelApproved]

Exactly. As little as possible should be passing through the querystring. Put in the minimum amount in the QS and look the rest up in the DB. If possible, the QS should be signed for an extra layer of protection.