Hackers can access personal and private photos in Albums due to vulnerability in Facebook’s Photo-Sync option
A security researcher, Laxman Muthiya has discovered a vulnerability in the Facebook’s Photo Sync option making it possible for hackers to access private images stored by the FB user.
The Photo Sync feature was introduced by Facebook in 2012 so that users across platforms like iPhone, iPad and Android can sync their images seamlessly. Once the user enabled the photo sync feature, Facebook automatically syncs all photos saved on mobile device into the users Facebook account.
The mobile app saves the photos (upto 2GB) in the background which the user can call at will to share with his/her friends or to the wall.
Muthiya found out that the Facebook Graph API which handles the synced photos, saves these images in a container called “vaultimages.” Muthiya explored for flaws in vault images and it was vulnerable. Says Muthiya,
“Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server check the request for proper access token and serve the synced photos of the respective user as response.
The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.”
In layman language, the Facebook users synced private photo album should be accessible by only Facebook’s official app, but the vulnerability in vaultimages allows any 3rd party apps to get permission to read your personal synced photos.
Muthiya contacted Facebook’s security team with the PoC and FB immediately took notice of the bug and patched it. They also rewarded Muthiya with $10,000 for his find and added his name to the honor list of FB white hat hackers .
Muthiya has made a PoC video of the bug which is given below :