Friday, 20 March 2015

Facebook found leaking private photos

Creepy iOS, Android apps could gain access to the pictures.



Bug Hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications.

The hacker received US $10,000 from Menlo Park for reporting the bug in Facebook Photo sync and an API that allows third party apps to gain access to private pictures.

The "user_photos" permission could gain access to your private pictures prior to the patch.

"A Malicious app which you are using can read all of your private photos in few seconds", Muthiyah says. "After few minutes of testing, I realised that vaultimages endpoint is vulnerable".

The Facebook covered up the bug in 30 minutes by whitelisting official applications. It is unknown how many non-whitelisted apps now sport broken photo synchronisation features.

It is the second vulnerability that Muthiayah has reported to Facebook this year. Last month the hacker took US $12,500 for disclosing a method to delete photo albums from the site using Facebook Graph API and a mobile token.

No comments:

Post a Comment