Researcher Demonstrate Hacking Facebook Private Photos

Share it:
Last month an Indian security researchers have found a critical bug on Facebook which allows the attacker to delete any photo album of your Facebook account. Researcher explained that the bug resides in the Graph API, which allow him to delete any photo's album of any facebook users, even of fan page or facebook group.

Now again same researcher Laxman Muthiyah, have discovered another security holes on Facebook. This time researcher demonstrates how he can see the private photos of users Facebook's accounts. This was a critical issue resides again in the Facebook Graph API which allows attackers to see users private photos. 

How Your Private Photos Exposed?
On the blog post researcher explained that how a malicious Facebook application exposed all your private photos of your account. Researcher says that Facebook had a feature called "Sync photos" which help us to keep a backup (up to 2 GB) of mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it. Sync photos feature is turned on by default in some mobile phones

So he started research on this default feature of Facebook, and after some time he came to know that "vaultimages" endpoint of Facebook Graph API is handling these synced photos. He started research on Vaultimage endpoint and found that it is vulnerable. 

Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server checks the request for proper access token and serve the synced photos of the respective user as response. - he wrote.

The vulnerable part is, Facebook just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.

There are thousands of app which uses users_photos permission to read the users account photos. So a single malicious app can sync all your mobile photos within a second. 

Vulnerability Demonstration 
Researcher Muthiyah has also published a video demonstration of the bug as a proof-of-concept. 

How to Prevent it?
There are lots many users who didn't check the permision list while giving permission to an app for their account. So it is recommend to do check before your use app and allow permission. 

Another thing we can do is to control the sync function of our device from the app settings. Most of us are unaware of the sync function, which makes backup of all the device data. If you don't want Facebook to backup your photos, go to app settings and turn it off.

Muthiyah had reported the issue to Facebook team and within an hour the issues had been fixed. For his research, Facebook rewarded him with $10,000 as per bug bounty program. Earlier also he had got a reward of $12,500 from Facebook for reporting critical bug on Facebook. 

Currently, Muthiyah is in the Top of the list of Facebook White Hat honour. 
Share it:

Bug Bounty

Facebook

Hacking

News

Research

Security

Post A Comment:

2 comments:

  1. Mahmudul Hasan Mithu22 March 2015 at 02:56

    I request to CYBER-71 to hack ICC, BCCI and Indian, English, Pakistani official website

    ReplyDelete
  2. I really love reading and following your post as I find them extremely
    informative and interesting. This post is equally informative as well as
    interesting . Thank you for information you been putting on making your site
    such an interesting. . Criminals most Wanted

    ReplyDelete

Follow by Email