1

The recently revised Facebook community standards page states that the social network is on a mission "to give people the power to share and make the world more open" however it appears that it may have been giving the wrong people the power to share stuff you thought was private. According to security researcher and bug bounty hunter Laxman Muthiyah Facebook's photo sync feature came with a critical flaw which "allows any malicious Facebook application to read your mobile photos."

The vulnerability concerns Facebook's Photo Sync feature for mobile users, which was introduced back in 2012 but because it was an opt-in thing might have luckily passed many users by. If you had, however, have turned it on then any photos you took with the phone would automatically be uploaded to the Facebook cloud where they would be stored for future use. That use could be for including in your Facebook postings, and the sync feature would give you quicker access to all your images in theory, or maybe it could be seen as a handy backup system in case anything happened to your phone. The photos in the Facebook cloud were marked as private so could not be seen by anyone else, again in theory. In practise, third party apps that you had authorised to access your mobile photos could see them as well.

I'm not sure if that means all your photos are stored by Facebook, including any shall we say any saucy ones. After all, that community standards page does say that Facebook will remove "photographs of people displaying genitals or focusing in on fully exposed buttocks. We also restrict some images of female breasts if they include the nipple" but it's unclear if that includes photos synced and stored as well as published.

Whatever, this doesn't sound like a huge disaster at first glance; after all if you have authorised an app to be able to access your photos on your mobile device then there's always a chance that the app may do something unexpected with them and it's a chance you take. What you wouldn't expect though is for those authorised apps to be able to access photos which are not on your mobile device, and which may have been taken by other mobile devices you have and are marked as being private. This bug gave them the authority to do just that, by opening up all your synced to Facebook images to any so authorised app including, of course, malicious ones.

Muthiyah explains how the Facebook mobile application makes a GET request to with a top level access token to read the synced photos, and the Facebook server then checks the request for a proper access token before serving the synced photos as a response. "The vulnerable part is" he reported "it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos."

Or at least it did, as Facebook has fixed the vulnerability and paid Muthiyah a $10,000 bounty by way of reward. Personally, I'm not sure I would want all my photos being synced up to the Facebook cloud anyways so suggest if you are using this 'just because' or maybe are not sure if you've clicked on a backup my photos to Facebook type checkbox in the past, to turn it off. Full instructions for doping this can be found here.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2
Contributors
1
Reply
15
Views
2 Years
Discussion Span
Last Post by advent_geek
0

Yup He (Laxman Muthaiah) is my friend. After Known about the bug, i had disabled my auto sync.

Edited by advent_geek: added name

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.