Laxman Muthiyah, have see the private photos of users Facebook's accounts. This was a critical issue resides again in the Facebook Graph API which allows attackers to see users private photos. Now again same researcher, have discovered another security holes on Facebook. This time researcher demonstrates how he can. This was a critical issue resides again in the Facebook Graph API which allows attackers to see users private photos.





How Your Private Photos Exposed?

Sync photos feature is turned on by default in some mobile phones. On the blog post researcher explained that how a malicious Facebook application exposed all your private photos of your account. Researcher says that Facebook had a feature called "Sync photos" which help us to keep a backup (up to 2 GB) of mobile photos. This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it.





So he started research on this default feature of Facebook, and after some time he came to know that "vaultimages" endpoint of Facebook Graph API is handling these synced photos. He started research on Vaultimage endpoint and found that it is vulnerable.









There are thousands of app which uses users_photos permission to read the users account photos. So a single malicious app can sync all your mobile photos within a second.





Vulnerability Demonstration Researcher Muthiyah has also published a video demonstration of the bug as a proof-of-concept.





How to Prevent it?

There are lots many users who didn't check the permision list while giving permission to an app for their account. So it is recommend to do check before your use app and allow permission.





Another thing we can do is to control the sync function of our device from the app settings. Most of us are unaware of the sync function, which makes backup of all the device data. If you don't want Facebook to backup your photos, go to app settings and turn it off.





Muthiyah had reported the issue to Facebook team and within an hour the issues had been fixed. For his research, Facebook rewarded him with $10,000 as per bug bounty program. Earlier also he had got a reward of $12,500 from Facebook for reporting critical bug on Facebook.





Currently, Muthiyah is in the Top of the list of Facebook White Hat honour.

Last month an Indian security researchers have found a critical bug on Facebook which allows the attacker to. Researcher explained that the bug resides in the Graph API, which allow him to delete any photo's album of any facebook users, even of fan page or facebook group.The vulnerable part is, Facebook justwhich is making the request. So it allows any application with user_photos permission to read your mobile photos.