What if your private mobile photos got exposed publicly?

All of us have the habit of taking photos using our mobile, in that there would definitely be some private photos. what if it’s hacked?
Oh my god! Private photos hacked
 This post is about a security vulnerability i found on Facebook which allows any malicious Facebook application to hack your mobile photos (synced).  You can also read about my recent finding which allowed any malicious user to delete any Facebook photo albums (How I Hacked Your Facebook Photos).



The Facebook mobile application has a feature called “Sync photos” which help us to keep a backup(up to 2 GB) of our mobile photos. This feature enables the Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it.

Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don’t want Facebook to backup your photos, go to app settings and turn it off.

I was really curious to know which endpoint is handling these photos. After a bit of research, i got to know that “vaultimages” endpoint of Facebook Graph API is handling these synced photos. I started exploring through the endpoint. Reading the synced photos through this endpoint got caught in my eyes and it seems vulnerable.
After few minutes of testing, I realized that “vaultimages” endpoint is vulnerable. Bingo! 😀

The Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top level access token to read the synced photos. Facebook server check the request for a proper access token and serve the synced photos of the respective user as the response.

Also read how to hack account password online and their prevention measures

The vulnerable part is, it just checks the owner of the access token and not the application which is making the request.  So it allows any application with user_photos permission to read your mobile photos. 
 

There are large numbers of Facebook applications which use user_photos permission to read user’s public photos.

A malicious app that you are using can hack all of your private photos in few seconds. I know that most of us won’t see the list of permissions while using any application.
Facebook Application Permissions
Please review the permissions before granting it.

Proof of Concept Video:-

 

Reported this vulnerability to Facebook Security Team, as usual, they were very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgment of report. They are simply awesome in this regard!

They just whitelisted their official mobile applications in that endpoint and no other applications can access your private photos anymore.This vulnerability is completely patched and vault images cannot be accessed by any application except the whitelisted applications.

{
   "error": {
      "message": "(#3) App must be on whitelist",
      "type": "OAuthException",
      "code": 3
   }
}

First Acknowledgement from Facebook Security Team.

Facebook Private Photos Vulnerability Acknowledgement from Facebook Security Team

Acknowledgement of Fix.

Facebook Private Photos Vulnerability Acknowledgement of Fix

Rewarded me $10,000 USD as a part of their bug bounty program.

$10,000 USD bounty from Facebook For Private Photos Bug
I got my name listed in their white hat honor list for reporting vulnerabilities.
Facebook Whitehat Honour List 2015 - Laxman Muthiyah
A couple of vulnerabilities (this one and photo deleting vulnerability) took me to the top of the list 😀 I thank Facebook Security Team for quickly patching this issue and also for running bug bounty program.

Also, read gmail password hack and their prevention measures

Please let me know your thoughts below in comments 🙂
SHARE
  • bro…Enga irundhu ivlooooo knowledge??

  • Nice find once again! I expect you'll stay at the top of that Whitehat list 🙂

  • raj

    Bingo xD, Kudos Bro

    Kind Regards
    Raj

  • Hey, I really like what you do!
    I have some good knowledge in computers, javascript, php, css, js, vbscript, batch and html so I want to begin but I don't really know how.
    How do you work? Did you learn all these things by yourself?
    Would you advice me? Thanks! 🙂

    • you can learn anything in the internet. "Google is GOD" make use of it 🙂 Good luck 🙂

      • Google is just a messenger of Gods. IYKWIM

  • Very smart 😉
    I would like to know how to intercept facebook mobile app traffic to start analysis ^_^

  • can some one help me out my wife left me and took my daughter her name is crystal lynn wallace 31 logen utah my baby girl is bonnie dowdell.well she left and blocked me from everything i can think of so i cant see eny pics of my baby all i want is pics so i know she is safe im not good with computers so i dount know how to hack so if eny one can help that would be great

    • Reading posts like this make surfing such a plerause

  • can some one help me out my wife left me and took my daughter her name is crystal lynn wallace 31 logen utah my baby girl is bonnie dowdell.well she left and blocked me from everything i can think of so i cant see eny pics of my baby all i want is pics so i know she is safe im not good with computers so i dount know how to hack so if eny one can help that would be great

  • Anonymous

    Can you personally hack an account for me, ill pay you.

  • please hack an account for me. I'll pay you as well. sms +639178884511

  • venkatesh

    i too had the knownledge of hacking but dont know what tools to use,can u pls help me.

  • Jolyon

    So you are the one who exposed this vulnerability. Nice. had read this in news.

  • Kelly Bartley

    Hi everyone, I have recommended {ZEUSHACKERS01 at OUTLOOK – COM}} to many friends and associates in need of hacking services and benefits, we have never seen such a good hacking system and look forward to a long & profitable association with {ZEUSHACKERS01 at OUTLOOK – COM}} in the future – you may need to know that I work in a PI company (Private Investigation). You can also contact them for FB hacks, website hacks,phone hacks, bank account hacks, clear criminal or court records,upgrading school grades and many more. Tell them Kelly from NJ referred you

  • trayjones

    Hello you all , first of all this is not a spam because I am posting here just to show my appreciation to mike. He helped me discover that my wife of 8 years has been cheating on my me my best friend. He helped me hack her phone and gave me access to his text messages including deleted text that goes as far as 6 months. You can contact him on michaelstealth9 at gmail dot com . He does all other sort of ethical hacks too.This is the only way I can thank him for helping me..

  • akpokemon (wad11656)

    wtf maaaan How am i s’posed to stalk the hot people I’m not friends with >:[

  • sommer

    If you need to hack into any phone or computer, monitor someone’s communications like calls text, WhatsApp twitter, snapchat, Facebook, database, delete record, monitoring your spouse’s cheating activities, improve credit score, retrieve or spy on your partners whatsapp, text, phone, emails, bank account and many more… Just contact [email protected], he is reliable and efficient