Facebook photo sync flaw could leak user photos

News by Ava Fedorov

This week, a critical flaw in Facebook's photo sync feature has been uncovered by bug bounty hunter, Laxman Muthiyah, which he details on his blog. The opt-in feature, introduced in 2012 by the global social media giant, allows Facebook to automatically access and sync all photos stored on a user's mobile device with the corresponding Facebook account.

Though a synced private photo album should only be accessible by the official app, the flaw could allow any third-party app users to access the personal photos of Facebook account holders, even ones hidden from the photo sync album.

"The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos," Muthiyah wrote in the log post.

Facebook immediately patched the vulnerability and has rewarded Muthiyah with $10,000 (£6,785) under its bug bounty program. Facebook users, however, are still advised to turn off Facebook Photo Sync feature as a precautionary measure.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews