As I understand it, the exploit involves crafting a URL to send in a removal request to the Facebook support. Wouldn't this count as social engineering or were the removal requests automated?
It seems you can send a crafted URL to request the deletion of images owned by Person A, to Person B. Cutting out any interaction from the original owner.
it looks like the request goes to the person who posted the photo first. presumably so that person can delete the photo without getting support involved. it looks like the problem was you could control the profile_id so it was different from the profile that owned the photo.
Regardless, well done!