Another serious privacy vulnerability has been found on Facebook, which could have put at risk the private photos of millions of users.
The problem lies in Facebook Photo Sync, an opt-in feature that the social network introduced in late 2012, which meant any photos you took on your iPhone or Android device would automatically sync up with your Facebook account.
The good news is that the feature was opt-in, so many Facebook users probably never enabled it in the first place, but those suffering from a Facebook addiction disorder may have found the offer of automatically uploading every single photo you take to a supposedly private Facebook album too alluring to resist.
But, as security researcher Laxman Muthiyah discovered to his financial gain, even though the photos should not have been visible to your Facebook friends or other Facebook users without your approval, there was a way for malicious hackers to access them.
Muthiyah found a critical flaw in how Facebook handles the photos:
“Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server check the request for proper access token and serve the synced photos of the respective user as response.
The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.”
In other words, only Facebook’s official app should be able to access the private photo album that has been synchronised. But instead any third-party app was able of checking out your personal and private snaps.
“There are large numbers of Facebook applications which uses user_photos permission to read user’s public photos.
A malicious app which you are using can read all of your private photos in few seconds.”
Fortunately, Muthiyah is one of the good guys. If he had been malicious, he might have been tempted to create a rogue app to steal intimate images of innocent Facebook users, and humiliate them by sharing his treasure trove of photos on the internet. In the past, internet users have been blackmailed after hackers have managed to get photographs of them in compromising situations.
Instead, Muthiyah did the right thing. He informed Facebook’s security team, who acknowledged his discovery and pushed out a fix within 30 minutes. According to Muthiyah, Facebook’s security team were “awesome in this regard.”
That’s hard to argue with – a 30 minute response to a serious privacy flaw is impressive by anybody’s standards.
But the fact remains that one has to assume that the flaw has been there on Facebook ever since the photo sync service was introduced in late 2012 – more than two years ago. Although it’s good that Facebook has now resolved the issue, it should never have been there in the first place, or their own researchers should have discovered the problem rather than leaving it for others to uncover.
It makes me wonder – just how many more clangers are there in Facebook’s code?
Muthiyah, who just last month discovered another flaw in Facebook that could have seen billions of Facebook photos deleted, should be commended for his responsible disclosure of the vulnerability to Facebook – only making details public after the privacy hole was patched.
For his latest discovery, Laxman Muthiyah has been awarded a $10,000 bug bounty. I hope such a generous reward encourages him to continue looking for bugs in Facebook’s website and other online services. If it weren’t for people like him, all of us would find ourselves at greater risk online.