Jump to content

Facebook Vulnerability Leaks Users' Private Photos

Recommended Posts


If you have enabled automatic Facebook Photo Sync feature on your iPhone, iPad or Android devices, then Beware! Hackers can steal your personal photographs without your knowledge.

In 2012, the social network giant introduced Facebook Photo Sync feature for iPhone, iPad and Android devices which, if opt-in, allows Facebook to automatically sync all your photos saved on your mobile device with your Facebook account.

The photos that you have synced from your phone are automatically uploaded in the background to a private Facebook album, which is not visible to any of your Facebook friends or other Facebook users. However, you may can choose then to share photos from the album on your Facebook timeline or send them as a message to a friend.

A bug bounty hunter, Laxman Muthiyah, discovered a critical flaw in the Facebook Photo Sync feature and Facebook API that could allow any third-party app to access your personal photos from the hidden Facebook Photo Sync album.

It's something that reminds me of "The Fappenings" and "The Snappening" -- in which nude and personal photographs of top celebrities were leaked due to a security flaw in Apple's iCloud file storage service and unofficial Snapchat messaging service app, respectively.

In a blog post published today, Laxman explained that the vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.

"The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos," Laxman wrote in a blog post.

Technically, Synced private photo album should be accessible by only Facebook's official app, but the vulnerability allows any 3rd party apps to get permission to read your personal synced photos.

Laxman previously disclosed a vulnerability in Facebook Graph API mechanism that allowed him to delete any photo album on Facebook owned by any user, any page or any group.


Though, Facebook has patched the vulnerability reported by Laxman and rewarded him with $10,000 under it’s bug bounty program, Facebook users are advised to turn off Facebook Photo Sync feature just to be on the safer side.

In order to do so, just go to Facebook mobile app menu, scroll down and select Account > App Settings > Sync Photos, then Choose 'Don't sync my photos.'


Link to post
Share on other sites

@quadxenon imi era dor de tine pustiule nu ai mai comentat aiurea la posturile mele de ceva vreme.

Pai hai sa te lamuresc, e vorba ca a EXISTAT aceasta vulnerabilitate si poate cei ce se ocupa de Pentesting, bla, bla bla poate vor sa vada ce a facut omul ( vezi video ) ai auzit de bypass sau chestii de genul ?

Din nou daca nu aveti ceva inteligent de zis sau daca comentati doar pentru +1 mai bine nu mai comentati.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...