What if your private mobile photos got exposed publicly?
All of us have the habit of taking photos using our mobile, in that there would definitely be some private photos. what if it’s hacked?
This post is about a security vulnerability i found on Facebook which allows any malicious Facebook application to hack your mobile photos (synced). You can also read about my recent finding which allowed any malicious user to delete any Facebook photo albums (How I Hacked Your Facebook Photos
Facebook mobile application has a feature called “Sync photos” which help us to keep a backup(up to 2 GB) of our mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it. Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don’t want Facebook to backup your photos, go to app settings and turn it off.
I was really curious to know which endpoint is handling these photos. After a bit of research i got to know that “vaultimages” endpoint of Facebook Graph API is handling these synced photos. I started exploring through the endpoint. Reading the synced photos through this endpoint got caught in my eyes and it seems vulnerable.
After few minutes of testing, i realized that “vaultimages” endpoint is vulnerable. Bingo! 😀
Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server check the request for proper access token and serve the synced photos of the respective user as response.
Read how hackers could hack Facebook account and their prevention measures
The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.
There are large numbers of Facebook applications which uses user_photos permission to read user’s public photos.
A malicious app which you are using can hack all of your private photos in few seconds.
I know that most of us won’t see the list of permissions while using any application.
Please review the permissions before granting it.
Proof of Concept Video :-
Reported this vulnerability to Facebook Security Team, as usual they were very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgement of report. They are simply awesome in this regard!
They just whitelisted their official mobile applications in that endpoint and no other applications can access your private photos any more.This vulnerability is completely patched and vaultimages cannot be accessed by any application except the whitelisted applications.
"message": "(#3) App must be on whitelist",
First Acknowledgement from Facebook Security Team.
Acknowledgement of Fix.
Rewarded me $10,000 USD as a part of their bug bounty program.
I got my name listed in their whitehat honour list for reporting vulnerabilities.
Couple of vulnerabilities (this one and photo deleting vulnerability
) took me to the top of the list 😀 I thank Facebook Security Team for quickly patching this issue and also for running bug bounty program.
Please let me know your thoughts below in comments 🙂