Indian Web Developer and Security Researcher Laxman Muthiyah was discovered new vulnerability in Facebook, that is Facebook which allows any malicious Facebook application to read your mobile photos.Facebook mobile application has a feature called "Sync photos" which help us to keep a backup of our mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it.
Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don't want Facebook to backup your photos, go to app settings and turn it off.
Facebook mobile application makes a GET request to top level access token to read the synced photos. Facebook server check the request for proper access token and serve the synced photos of the respective user as response.
There are large numbers of Facebook applications which uses user_photos permission to read user's public photos. A malicious app which you are using can read all of your private photos in few seconds.
The vulnerable is, "it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos."
Laxman reported this vulnerability to Facebook Security Team, they are very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgement of report.
.jpg)
.JPG)
