Facebook found leaking private photos

Bug hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications.

The hacker received US$10,000 from Menlo Park for reporting the bug in Facebook Photo Sync and an API that allows third party apps to siphon private pics.

Muthiyah says iOS and Android apps that contain a user_photos permission could prior to the patch nab photos by simply residing on a victim's device.

"A malicious app which you are using can read all of your private photos in few seconds," Muthiyah says.

"After few minutes of testing, I realised that [the] vaultimages endpoint is vulnerable.

"... it just checks the owner of the access token and not the application which is making the request, so it allows any application with user_photos permission to read your mobile photos."

Vaultimages resides within the Facebook Graph API and handles synchronisation of photos from devices to the social media site

Muthiyah found the Facebook app makes GET requests to /vaultimages using a top level access token to read photos which is verified using an access token. Facebook however did not check what application issued the request.

Attackers would need to pull off the usual effective social engineering tricks that rely on users ignoring notifications that list the access permissions sought by an app.

Facebook pounced on Muthiyah's disclosure, shuttering the bug in 30 minutes by whitelisting official applications.

It is unknown how many non-whitelisted apps now sport broken photo synchronisation features.

The vulnerability is the second Muthiyah has reported to Facebook this year. Last month the hacker scored US$12,500 for quietly disclosing a method to delete photo albums from the site using the Facebook Graph API and a mobile token.