Having a Facebook account is now considered to be a social status. The latest feature by Facebook is that anyone can sync their photos that has been taken from the phone or tablets. Recently a researcher found that Facebook has a vulnerability that can be used to leak the private photos.
The photos that are being synced from the devices will be automatically uploaded to a private folder that is not visible to anyone and can be shared with the friends for their viewing. The vulnerability allows the third party app to access the personal photos from the hidden Facebook Photo Sync Album.
The vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.
Private photo album should be accessible by only Facebook's official app but this vulnerability allows any third party apps to get permission to read the personal synced photos.
The researcher who found is Laxman from India and he disclosed the Graph API before that allowed anyone to delete the photo album.
How to Disable the Auto-Sync Features :
Facebook has patched the vulnerability and rewarded him with $10 000 but the Facebook users are advised to turn off the Facebook Photo Sync feature.
To do that go to Account -->App Settings --> Sync Photos, then Choose 'Don't sync my photos'.
P.S : The post is to create awareness and not to be misused.
No comments:
Post a Comment