How I Exposed Your Private Photos - Facebook Private Photos Hack

Facebook Private Photos Hacked

What if your private mobile photos got exposed publicly?

All of us have the habit of taking photos using our mobile, in that there would definitely be some private photos. what if it's hacked?  

Oh my god! Private photos hacked

This post is about a security vulnerability i found on Facebook which allows any malicious Facebook application to hack your mobile photos (synced).  You can also read about my recent finding which allowed any malicious user to delete any Facebook photo albums (How I Hacked Your Facebook Photos).

Facebook mobile application has a feature called "Sync photos" which help us to keep a backup(up to 2 GB) of our mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it. Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don't want Facebook to backup your photos, go to app settings and turn it off.  

I was really curious to know which endpoint is handling these photos. After a bit of research i got to know that "vaultimages" endpoint of Facebook Graph API is handling these synced photos. I started exploring through the endpoint. Reading the synced photos through this endpoint got caught in my eyes and it seems vulnerable. 

After few minutes of testing, i realized that "vaultimages" endpoint is vulnerable. Bingo! :D 

Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server check the request for proper access token and serve the synced photos of the respective user as response.

The vulnerable part is, it just checks the owner of the access token and not the application which is making the request.  So it allows any application with user_photos permission to read your mobile photos. 

There are large numbers of Facebook applications which uses user_photos permission to read user's public photos. 
A malicious app which you are using can hack all of your private photos in few seconds. 

I know that most of us won't see the list of permissions while using any application. 

Facebook Application Permissions

Please review the permissions before granting it. 

Proof of Concept Video :-




Reported this vulnerability to Facebook Security Team, as usual they were very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgement of report. They are simply awesome in this regard! 
They just whitelisted their official mobile applications in that endpoint and no other applications can access your private photos any more.

This vulnerability is completely patched and vaultimages cannot be accessed by any application except the whitelisted applications.
{
   "error": {
      "message": "(#3) App must be on whitelist",
      "type": "OAuthException",
      "code": 3
   }
}

First Acknowledgement from Facebook Security Team.


Facebook Private Photos Vulnerability Acknowledgement from Facebook Security Team


Acknowledgement of Fix.


Facebook Private Photos Vulnerability Acknowledgement of Fix


Rewarded me $10,000 USD as a part of their bug bounty program.


$10,000 USD bounty from Facebook For Private Photos Bug


I got my name listed in their whitehat honour list for reporting vulnerabilities. 

Facebook Whitehat Honour List 2015 - Laxman Muthiyah


Couple of vulnerabilities (this one and photo deleting vulnerability) took me to the top of the list :D I thank Facebook Security Team for quickly patching this issue and also for running bug bounty program. 

Please let me know your thoughts below in comments :)

Share on Google Plus

About Laxman Muthiyah

    Blogger Comment
    Facebook Comment

16 comments:

  1. bro...Enga irundhu ivlooooo knowledge??

    ReplyDelete
  2. Nice find once again! I expect you'll stay at the top of that Whitehat list :)

    ReplyDelete
  3. Bingo xD, Kudos Bro

    Kind Regards
    Raj

    ReplyDelete
  4. Hey, I really like what you do!
    I have some good knowledge in computers, javascript, php, css, js, vbscript, batch and html so I want to begin but I don't really know how.
    How do you work? Did you learn all these things by yourself?
    Would you advice me? Thanks! :)

    ReplyDelete
    Replies
    1. you can learn anything in the internet. "Google is GOD" make use of it :) Good luck :)

      Delete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. Very smart ;)
    I would like to know how to intercept facebook mobile app traffic to start analysis ^_^

    ReplyDelete
  7. can some one help me out my wife left me and took my daughter her name is crystal lynn wallace 31 logen utah my baby girl is bonnie dowdell.well she left and blocked me from everything i can think of so i cant see eny pics of my baby all i want is pics so i know she is safe im not good with computers so i dount know how to hack so if eny one can help that would be great

    ReplyDelete
  8. can some one help me out my wife left me and took my daughter her name is crystal lynn wallace 31 logen utah my baby girl is bonnie dowdell.well she left and blocked me from everything i can think of so i cant see eny pics of my baby all i want is pics so i know she is safe im not good with computers so i dount know how to hack so if eny one can help that would be great

    ReplyDelete
  9. Can you personally hack an account for me, ill pay you.

    ReplyDelete
  10. please hack an account for me. I'll pay you as well. sms +639178884511

    ReplyDelete
  11. Hey, I truly like what you do! I have some great learning in writing.so I need to start however I don't generally know how.I'm sure that you can help my federal resume writing service help.

    ReplyDelete
  12. Hi everyone,fix your broken relationship and marriage right now no matter how hopeless your situation seems!! I am so excited sharing my testimony with everyone here about how i saved my marriage and got my husband back after a divorce. I am Natasha Hayes by name and I'm a happily married to a lovely and caring husband ,with two kids.A very big problem occurred in my family seven months ago,between me and my husband .so terrible that he took the case to court for a divorce.he said that he never wanted to stay with me again,and that he didn't love me anymore.So he packed out of the house and made me and my children passed through severe pain. I tried all my possible means to get him back,after much begging,but all to no avail.and he confirmed it that he has made his decision,and he never wanted to see me again. So on one evening,as i was coming back from work,i met an old friend of mine who asked of my husband .So i explained every thing to him,so he told me that the only way i can get my husband back,is to visit a spell caster,because it has really worked for him too.So i never believed in spell,but i had no other choice,than to follow his advice. Then he gave me the email address of the spell caster whom he visited.{Unityspelltemple@gmail.com}. So the next morning,i sent a mail to the address he gave to me,and the spell caster assured me that i will get my husband back the next day.What an amazing statement!! I never believed,so he spoke with me,and told me everything that i need to do. Then the next morning, So surprisingly, my husband who didn't call me for the past{7}months,gave me a call to inform me that he was coming back.So Amazing!! So that was how he came back that same day,with lots of love and joy,and he apologized for his mistake,and for the pain he caused me and my children. Then from that day,our marriage was now stronger than how it were before,by the help of a spell caster Dr Unity. So, i will advice you out there, if you have any problem contact Dr Unity and i guarantee you that he will help you and you will be the next to share your testimony to every one in the world!!. Email him at: Unityspelltemple@gmail.com or call him on: +2348072370762.

    ReplyDelete