Now again same researcher Laxman Muthiyah, have discovered another security holes on Facebook. This time researcher demonstrates how he can see the private photos of users Facebook's accounts. This was a critical issue resides again in the Facebook Graph API which allows attackers to see users private photos.
How Your Private Photos Exposed?
On the blog post researcher explained that how a malicious Facebook application exposed all your private photos of your account. Researcher says that Facebook had a feature called "Sync photos" which help us to keep a backup (up to 2 GB) of mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it. Sync photos feature is turned on by default in some mobile phones.
So he started research on this default feature of Facebook, and after some time he came to know that "vaultimages" endpoint of Facebook Graph API is handling these synced photos. He started research on Vaultimage endpoint and found that it is vulnerable.
The vulnerable part is, Facebook just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.
There are thousands of app which uses users_photos permission to read the users account photos. So a single malicious app can sync all your mobile photos within a second.
Researcher Muthiyah has also published a video demonstration of the bug as a proof-of-concept.
How to Prevent it?
There are lots many users who didn't check the permision list while giving permission to an app for their account. So it is recommend to do check before your use app and allow permission.
Another thing we can do is to control the sync function of our device from the app settings. Most of us are unaware of the sync function, which makes backup of all the device data. If you don't want Facebook to backup your photos, go to app settings and turn it off.
Muthiyah had reported the issue to Facebook team and within an hour the issues had been fixed. For his research, Facebook rewarded him with $10,000 as per bug bounty program. Earlier also he had got a reward of $12,500 from Facebook for reporting critical bug on Facebook.
Currently, Muthiyah is in the Top of the list of Facebook White Hat honour.