The recently revised Facebook community standards page states that the social network is on a mission "to give people the power to share and make the world more open" however it appears that it may have been giving the wrong people the power to share stuff you thought was private. According to security researcher and bug bounty hunter Laxman Muthiyah Facebook's photo sync feature came with a critical flaw which "allows any malicious Facebook application to read your mobile photos."

The vulnerability concerns Facebook's Photo Sync feature for mobile users, which was introduced back in 2012 but because it was an opt-in thing might have luckily passed many users by. If you had, however, have turned it on then any photos you took with the phone would automatically be uploaded to the Facebook cloud where they would be stored for future use. That use could be for including in your Facebook postings, and the sync feature would give you quicker access to all your images in theory, or maybe it could be seen as a handy backup system in case anything happened to your phone. The photos in the Facebook cloud were marked as private so could not be seen by anyone else, again in theory. In practise, third party apps that you had authorised to access your mobile photos could see them as well.

I'm not sure if that means all your photos are stored by Facebook, including any shall we say any saucy ones. After all, that community standards page does say that Facebook will remove "photographs of people displaying genitals or focusing in on fully exposed buttocks. We also restrict some images of female breasts if they include the nipple" but it's unclear if that includes photos synced and stored as well as published.

Whatever, this doesn't sound like a huge disaster at first glance; after all if you have authorised an app to be able to access your photos on your mobile device then there's always a chance that the app may do something unexpected with them and it's a chance you take. What you wouldn't expect though is for those authorised apps to be able to access photos which are not on your mobile device, and which may have been taken by other mobile devices you have and are marked as being private. This bug gave them the authority to do just that, by opening up all your synced to Facebook images to any so authorised app including, of course, malicious ones.

Muthiyah explains how the Facebook mobile application makes a GET request to with a top level access token to read the synced photos, and the Facebook server then checks the request for a proper access token before serving the synced photos as a response. "The vulnerable part is" he reported "it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos."

Or at least it did, as Facebook has fixed the vulnerability and paid Muthiyah a $10,000 bounty by way of reward. Personally, I'm not sure I would want all my photos being synced up to the Facebook cloud anyways so suggest if you are using this 'just because' or maybe are not sure if you've clicked on a backup my photos to Facebook type checkbox in the past, to turn it off. Full instructions for doping this can be found here.

269 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Yup He (Laxman Muthaiah) is my friend. After Known about the bug, i had disabled my auto sync.