Facebook photo leak flaw raises security concerns

A Facebook mobile code vulnerability, which exposed private photos to hackers, has raised questions about the safety of the social network’s coding

A Facebook mobile code vulnerability, which exposed private photos to hackers, has raised questions about the safety of the social network’s coding in general.

Security researcher Laxman Muthiyah recently discovered a critical vulnerability in the Facebook Photo Sync feature that was introduced more than two years ago.

In all that time, Facebook failed to discover the flaw that put millions of private photos at risk in the feature designed to enable users to sync their mobile photos with their Facebook account.

Muthiyah found that synced photos that had not been published on Facebook and should not have been visible to anyone could be accessed by exploiting a flaw in the photo sync feature.

In a blog post, Muthiyah said he found that the Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top-level access token to read the synced photos.

While the Facebook server checks the request for a proper access token and serves the synced photos of the respective user as response, it was not designed to check which application is making the request.

Muthiyah discovered that any application with "user_photos" permission could get access to synced mobile photos, which meant hackers could craft apps for this malicious purpose.

He reported the vulnerability to the Facebook Security Team, which fixed the flaw in less than 30 minutes by whitelisting Facebook official mobile applications so that no other apps can get access.

Facebook also paid Muthiyah $10,000 under the company’s bug bounty programme that was introduced to encourage anyone who discovers flaws to report them to the social networking firm.

Read more about Facebook and security

  • Expert Kevin Beaver explains how enterprises can take a page from Facebook's ThreatData framework security analytics to boost enterprise defense
  • There have been on-going concerns over Facebook’s security protocols following the Snowden scandal
  • Facebook for Work app may not address security concerns

While a response in under 30 minutes is impressive, independent security consultant Graham Cluley said the flaw should not have existed in the first place or allowed to go undetected for so long.

In a blog post, Cluley said the failure of Facebook to pick up the critical flaw raises questions about the security of Facebook’s code in general.

This is particularly concerning in the light of Facebook’s recent announcement that it plans to introduce a friend-to-friend payment feature.

The feature is to be added soon in the US to Facebook’s Messenger app for Android, iOS and desktops.

Facebook, which already processes more than a million transactions daily on the site for gamers and advertisers, claims security will be a top priority.

According to the social networking firm, the new payment feature will use secure systems that encrypt the connection between the user and Facebook, as well as the users’ card information.

Facebook also claims the payment systems are kept in a secured environment that is separate from other parts of the Facebook network and receives additional monitoring and control.

But security experts have advised Facebook users to proceed with caution.

Chief technology officer at security firm Lancope, TK Keanini, said while the payment system is exciting and useful, everyone must do their part to secure their accounts.

“Remember, when your account is compromised, it affects everyone. Some people treat Facebook as a play account and don't take security seriously, approving friend requests from complete strangers, accepting game invites from anyone,” he said.

The Facebook platform, including the mobile app, is already a big target for attackers, according to Tripwire director of security and risk Tim Erlin.

“Adding a financial component to messenger puts it in a different category. There is no doubt that cyber criminals will immediately begin looking for ways to use this new feature to get into your wallet,” he said.

However, Eset security specialist Mark James believes that although Facebook is a big target and will be looked at very closely by cyber criminals once this goes live, Facebook will invest heavily in security in an attempt to keep data safe.

Read more on Privacy and data protection