The Photo Sync feature was introduced by Facebook in 2012 so that users across platforms like iPhone, iPad and Android can sync their images seamlessly. Once the user enabled the photo sync feature, Facebook automatically syncs all photos saved on mobile device into the users Facebook account.
The mobile app saves the photos (upto 2GB) in the background which the user can call at will to share with his/her friends or to the wall. Muthiya found out that the Facebook Graph API which handles the synced photos, saves these images in a container called “vaultimages.” Muthiya explored for flaws in vault images and it was vulnerable. Says Muthiya, In layman language, the Facebook users synced private photo album should be accessible by only Facebook’s official app, but the vulnerability in vaultimages allows any 3rd party apps to get permission to read your personal synced photos. The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos.” Muthiya contacted Facebook’s security team with the PoC and FB immediately took notice of the bug and patched it. They also rewarded Muthiya with $10,000 for his find and added his name to the honor list of FB white hat hackers . Muthiya has made a PoC video of the bug which is given below :