What if your private mobile photos got exposed publicly?

All of us have the habit of taking photos using our mobile, in that, there would definitely be some private photos. What if it’s hacked?
Oh my god! Private photos hacked
 This post is about a security vulnerability I found on Facebook which allows any malicious Facebook application to hack your mobile photos (synced).
The Facebook mobile application has a feature called “Sync photos” which help us to keep a backup(up to 2 GB) of our mobile photos. This feature enables the Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it.

Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don’t want Facebook to backup your photos, go to app settings and turn it off.

Also, read the ways to hack facebook account found by whitehat hackers on Facebook bug bounty program

I was really curious to know which endpoint is handling these photos. After a bit of research, I got to know that “vaultimages” endpoint of Facebook Graph API is handling these synced photos. I started exploring through the endpoint. Reading the synced photos through this endpoint got caught in my eyes and it seems vulnerable.
After few minutes of testing, I realized that “vaultimages” endpoint is vulnerable. Bingo! 😀

The Facebook mobile application makes a GET request to https://graph.facebook.com/me/vaultimages with a top-level access token to read the synced photos. Facebook server check the request for a proper access token and serve the synced photos of the respective user as the response.

The vulnerable part is, it just checks the owner of the access token and not the application which is making the request.  So it allows any application with user_photos permission to read your mobile photos. 

There are large numbers of Facebook applications which use user_photos permission to read user’s public photos.

A malicious app that you are using can hack all of your private photos in few seconds. I know that most of us won’t see the list of permissions while using any application.
Facebook Application Permissions
Please review the permissions before granting it.

Proof of Concept Video:-

Reported this vulnerability to Facebook Security Team, as usual, they were very fast in addressing this issue. They pushed a fix in less than 30 minutes after the acknowledgment of report. They are simply awesome in this regard!

They just whitelisted their official mobile applications in that endpoint and no other applications can access your private photos anymore.This vulnerability is completely patched and vault images cannot be accessed by any application except the whitelisted applications.

Also, read common ways on how to hack facebook account in few minutes and their prevention techniques

   "error": {
      "message": "(#3) App must be on whitelist",
      "type": "OAuthException",
      "code": 3

First Acknowledgement from Facebook Security Team.

Facebook Private Photos Vulnerability Acknowledgement from Facebook Security Team

Acknowledgement of Fix.

Facebook Private Photos Vulnerability Acknowledgement of Fix

Rewarded me $10,000 USD as a part of their bug bounty program.

$10,000 USD bounty from Facebook For Private Photos Bug
I got my name listed in their white hat honor list for reporting vulnerabilities.
Facebook Whitehat Honour List 2015 - Laxman Muthiyah
A couple of vulnerabilities (this one and photo deleting vulnerability) took me to the top of the list 😀 I thank Facebook Security Team for quickly patching this issue and also for running bug bounty program.
Please let me know your thoughts below in comments 🙂

Also, read how to hack Gmail account and their prevention measures

  • Jerry Holmes

    Everyone should be careful of who they contact on here alot of fakes everywhere, i thought this hacking thing was a joke till i needed someone to do a private hacking for me and also a facebook. i was introduced to [email protected] by my very good British friend, so i decided to try him and he passed. firstly he proves to you he is not a cheat by working a sample job that you confirm first then you are 100% sure he can do your work without being cheated. he never ask for payment first, he Shows proof works first he is just great.

  • doris simeon

    If you want all your hacking problems solved, there’s no other place to go or person to contact other than the guru himself. He does jobs ranging from bank account hacks, facebook, emails, grade change, cell phone hack among`others. He also makes intl passport for different countries. Contact him and come thank me later specialhacker4uAT(gmmaiil(dot) com is the best man for the job?

    • robert pires

      Hi guys if you looking for hacking services contact specialhacker for all kinds of hacking services you need

    • maleek berry

      only hacker i can recommend.. they also helped me protect my phone from been hacked or spy

    • jidenna mane

      thank you dude

  • Nicholas Wilson

    I wish to publicly appreciate the efforts of one of America’s greatest hackers by the name Peter Barclay. I contacted him about three months back from Texas when i needed access to an entire cellphone. He did something he called R.C(Remote Cloning) and granted me access to the targets Facebook,whatsapp,emails,text messages,twitter,call logs,instagram and other apps on the cellphone without me touching the phone, i received all the information on my own phone. He is simply amazing in many other areas of hacking. CONTACT Peter- Email- [email protected]

  • philip koke

    i never believed hacking was real until a friend introduced me to one who helped me install key logger on my wife’s phone and pcs to get all her passwords to spy on her and help me gain remote access to her whatsapp. You can contact him by sending a mail request to HACKZUES AT G MAIL D0T C0M