Facebook flaw could have leaked your private mobile photos

A flaw discovered this week allowed certain mobile apps access to private photos on Facebook.

Security researcher Laxman Muthiyah discovered an exploit that would allow any mobile app that requires a Facebook login to access your otherwise private “synched photos” album on Facebook.

By the way, Muthiyah is the same researcher that found another vulnerability that allowed any Facebook user to delete public photos belonging to any other Facebook user through Facebook’s developer API.

This latest vulnerability comes as another blow to Facebook who are already battling serious privacy concerns over their latest method of targeted advertising in Europe.

So what happened this time?

Basically, if you had Facebook’s “Sync Photos” feature turned on in your mobile Facebook app, then you’re vulnerable. It’s a relatively new feature that isn’t available for all users (or phones) at the time of writing, but if you do have it enabled it will sync (i.e. copy) all the photos you take on your phone and upload them to a private album on your Facebook account.

The private album is “Only Me” private, meaning not even friends can see it. Well, as it turned out, developers of third party mobile apps that use your Facebook login credentials to work could have potentially accessed and copied any of those photos, if they were aware of the exploit. Whether any were, we simply don’t know.

Facebook fixed the exploit as soon as Muthiyah made them aware of it (another $10,000 reward bounty coming his way) and now – apparently – the issue has been completely dealt with.

We always advise approaching features or apps that “sync” your photos to the Internet with extreme caution. Most people will be more than aware that this is how many of the celebrities in the leaked photos scandal were caught out. Such celebs were not aware that their phones were automatically uploading their intimate photos to online storage accounts, accounts that were duly compromised by criminals.

In this case, syncing your photos created a privacy leak where none would have otherwise existed.

Some phones may even have the “sync photos” featured turned on by default. If it is turned on, you’ll notice a “synced photos” album in your photos section. To see if it’s turned on, follow the instructions on this Facebook Help tutorial.