Facebook users’ personal photos could be in the hands of hackers, a security expert claims.
A bug in Facebook Photo Sync allows third-party apps to access photos originally stored on your smartphone, according to Laxman Muthiyah, a bounty hunter who discovered the bug.
The social network’s photo sync feature, introduced in 2012, will upload all your iOS and Android smartphone snaps to your Facebook account if you’ve opted in.
Ordinarily, those pictures will go to a private album that’s not visible to friends or other users of the social network.
But Muthiyah found a huge vulnerability in the Photo Sync API that grants third-party apps access to those personal pictures.
He discovered that an endpoint granting access to sync requests was vulnerable.
Explaining the bug on his blog, he wrote: “The vulnerable part is, it just checks the owner of the access token and not the application which is making the request.
“So it allows any application with user_photos permission to read your mobile photos.”
A large number of Facebook apps use the user_photos permission to read users’ public photos, he warned, adding: “A malicious app which you are using can read all of your private photos in few seconds.”
Facebook has no patched the bug, rewarding Muthiyah with a $10,000 cheque, but the bug researcher suggested users opt out of Photo Sync just in case.
Muthiyah’s no stranger to Facebook rewards, though, after bagging $12,500 last month when he discovered he could send a “delete” function to a Facebook for Mobile application via an API that gave him the power to delete any photo album on the site.
Source: http://ift.tt/1OdwbFn
from hacker samurai http://ift.tt/1OdwcZM
via IFTTT
No comments:
Post a Comment