In 2012, the social network giant introduced Facebook Photo Sync feature for iPhone, iPad and Android devices which, if opt-in, allows Facebook to automatically sync all your photos saved on your mobile device with your Facebook account.
The photos that you have synced from your phone are automatically uploaded in the background to a private Facebook album, which is not visible to any of your Facebook friends or other Facebook users. However, you may can choose then to share photos from the album on your Facebook timeline or send them as a message to a friend.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
A bug bounty hunter, Laxman Muthiyah, discovered a critical flaw in the Facebook Photo Sync feature and Facebook API that could allow any third-party app to access your personal photos from the hidden Facebook Photo Sync album.
It's something that reminds me of "The Fappenings" and "The Snappening" -- in which nude and personal photographs of top celebrities were leaked due to a security flaw in Apple's iCloud file storage service and unofficial Snapchat messaging service app, respectively.
In a blog post published today, Laxman explained that the vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.
"The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos," Laxman wrote in a blog post.
Technically, Synced private photo album should be accessible by only Facebook's official app, but the vulnerability allows any 3rd party apps to get permission to read your personal synced photos.
Laxman previously disclosed a vulnerability in Facebook Graph API mechanism that allowed him to delete any photo album on Facebook owned by any user, any page or any group.
HOW TO DISABLE AUTO-SYNC
HOW TO DISABLE AUTO-SYNC
Though, Facebook has patched the vulnerability reported by Laxman and rewarded him with $10,000 under it's bug bounty program, Facebook users are advised to turn off Facebook Photo Sync feature just to be on the safer side.
In order to do so, just go to Facebook mobile app menu, scroll down and select Account > App Settings > Sync Photos, then Choose 'Don't sync my photos.'