Exposing Private Facebook Photos with a Malicious App

[Laxman] is back again with another hack related to Facebook photos. This hack revolves around the Facebook mobile application’s “sync photos” function. This feature automatically uploads every photo taken on your mobile device to your Facebook account. These photos are automatically marked as private so that only the user can see them. The user would have to manually update the privacy settings on each photo later in order to make them available to friends or the public.

[Laxman] wanted to put these privacy restrictions to the test, so he started poking around the Facebook mobile application. He found that the Facebook app would make an HTTP GET request to a specific URL in order to retrieve the synced photos. This request was performed using a top-level access token. The Facebook server checked this token before sending down the private images. It sounds secure, but [Laxman] found a fatal flaw.

The Facebook server only checked the owner of the token. It did not bother to check which Facebook application was making the request. As long as the app had the “user_photos” permission, it was able to pull down the private photos. This permission is required by many applications as it allows the apps to access the user’s public photos. This vulnerability could have allowed an attacker access to the victim’s private photos by building a malicious application and then tricking victims into installing the app.

At least, that could have been the case if Facebook wasn’t so good about fixing their vulnerabilities. [Laxman] disclosed his finding to Facebook. They had patched the vulnerability less than an hour after acknowledging the disclosure. They also found this vulnerability severe enough to warrant a $10,000 bounty payout to [Laxman]. This is in addition to the $12,500 [Laxman] received last month for a different Facebook photo-related vulnerability.

21 thoughts on “Exposing Private Facebook Photos with a Malicious App

    1. Bingo! If someone can see it, it is no longer private.

      And there are other issues with facebook… that i will try later, i think i have found some interesting things also related to facebook “privacy”. But this days i don’t have time to check it out.

    2. If you want to be pedantic, it’s true. But when the proper link is a 35-character URL of random characters, well, that has more bits than any of my passwords.

      Some systems (I run a Drupal website) do host files in an offline directory, then use PHP to create a URL that only logged-in users can access.

      1. Ah, but you use an invalid 35 random characters, and you get a 404 error. If you just got them wrong, but still a valid string, you get a different picture. If you use a password authentication, and have a wrong password, if the password function is properly implemented, after so many wrong attempts, you can’t access anything for a little while.

        1. The thing is not about guessing, is about the fact that someone in your group can “leak” anything to the public. As an example: X shares a picture with close friends(I’m in that group) and I casually ask Y(common friend) what he thinks about something, and I give the picture link, because of course I do. Y is not in the close friends group, only place where the picture was shared, but since I gave him the link, this simply does not matter.
          The result of this is that basically you can consider that anything you put there can reach anyone, with a little bit of carelessness and effort. Since most people don’t go by the idea “don’t want it public, don’t put it on the internet”…..
          As far as I can tell, this is also valid for G+.

          1. If you don’t share the link, you just share the photo itself (by re-uploading it to whatever service you’re using to communicate with the unauthenticated person). E.g. lots of snapchats get shared on facebook using screen caputre.

      1. i think this is available on any free website that hosts photos. they have to live out of something, so displaying an add next to your photo counts as using it commercially.
        AFAIK they are still not allowed to use it outside their website, like print a huge banner of your picture and display it. Not that it did not happen for people’s pics to be used like that by 3rd parties.

        1. “they are still not allowed to use it outside their website, like print a huge banner of your picture and display it.”

          Yeah until they buy a big advertising display, run a browser in it, and point it at their content.

  1. I sure hope that “sync photos” function can be turned off in the FB app… that’s disturbing in and of itself. I deleted my FB account three years ago over privacy concerns I had then, and it looks like they’ve continued their shenanigans unabated! Yuck. Jeers to FB. Kudos, however, to [Laxman] for finding the bug and pulling down another great bounty… at least something positive came of this.

      1. yeah, just look at some recent papers on demographics prediction based on browsing behavior. It will scare you a bit.

        Also, don’t forget you can achieve almost perfect used identification based on simple system parameters that the web browser reports.

          1. well now their surveillance has linked your hackaday account with your facebook account, figured out that you are a liar with subversive tendancies and they have forwarded your info to the appropriate authoriities

            congratulations, in your attempt to minimize your presence in facebook’s database, you have created records in their database with little gold stars next to them

            what will you do for an encore?

          2. yeah they also know when you are awake and when you sleep from the times of your posting, they have your ip address, which they can correlate with other ip addresses from other users who have given their location info, so they know where you are. they know what language you speak, they can tell your educational level from the vocabulary you use. they can tell where you grew up from the eclectic forms of dialect that you put in your language. they can also tell who your friends are because they will subconsciously repeat the memes that you spew and you will repeat the memes that they spew. and of course they share data with retailers with their security camera footage and their records of everything that you buy, so now they know whether or not you eat meat or listen to morrisey or smoke cigarettes

          3. Bummer. I guess I’ll now have to buy that tin-foil hat I saw on Amazon for $1500. It claims to protect me from all surveillance. It says so on the internet, so it must be true, right?

            Well, I don’t listen to Morrisey or smoke cigarettes, but I do eat as much meat as possible, as often as possible. I don’t give a rat’s kidney what Facebook or anyone else thinks of me, and they can dig up all of the info on me that they want. They find out what people who know me already know: I’m fat, broke, and apathetic towards paranoid idiots who think that everyone is out to get them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s