We’ve written about Laxman Muthiyah before.
He recently scored $12,500 from Facebook for noticing that you could delete other people’s photos from Facebook.
He grafted a Facebook for Android authentication token into a plain old web request to Facebook, and found that he could have deleted other people’s photo albums.
All he had to do was guess the numeric ID of the album he wanted to remove.
Somehow, Facebook didn’t match up the owner of the login token (unique to you) with the owner of the photo album.
So, as long as you were authenticated to delete some photos, you could in theory delete any photos, provided those photos were already public.
That bug wasn’t a privacy issue, given that the photos were already published, but it was definitely a Security Bypass or Denial of Service vulnerability!
After all, if I invite you into my art gallery to view my paintings, I’m not implicitly giving you permission to take them with you when leave.
(Audio player not working? Listen on Soundcloud.)
Laxman does it again
Anyway, Laxman has done it again.
This time, the problem was one of confidentiality, not availability.
Simply put, he found that, if you had Facebook’s Photo Sync feature turned on, then any app with permission to access photos on your phone could access your synced photos, too.
Photo Sync means that whenever you take photos with your phone (and that includes screenshots, by the way), Facebook’s app automatically uploads them to Facebook’s cloud in case you want to publish them online later.
We can’t think why that’s a good idea, but many people seem to find the feature useful because:
- You get an automatic backup of every photo.
- Uploaded photos are private by default, so they aren’t visible to other people until you want them to be.
- It makes it convenient to share photos later on.
Laxman’s bug was the fact that apps other than Facebook’s own could read those synced photos back from the cloud.
Obviously, if you’ve authorised an app to access the photos on your device, you have already accepted the risk of allowing that app to do unsavoury things with private snapshots you might take.
So this is not an earth-moving bug, but it’s definitely a security hole.
After all, by authorising a mobile app to access photos on a specific mobile device, you almost certainly didn’t intend to give that app access to your synced-to-Facebook photos as well.
Indeed, your synced Facebook photos might include images and screenshots taken on other devices, where that app has no authority at all.
Facebook agreed that this wasn’t supposed to happen, closed the hole very quickly (now, only Facebook’s own app is allowed to access synced photos), and awarded Laxman another $10,000.
What to do?
You don’t have to apply any patches in this case: the bug was on Facebook’s servers and was fixed there, thus immediately slamming the door on this loophole for everyone.
But it might well be a timely reminder to check your privacy settings, because Photo Syncing may be enabled without you being aware of it.
To turn it off, you can follow Facebook’s instructions.
If you have an iPhone, you can also control which apps can access your photos in the first place, using the Settings | Privacy | Photos page.
Be warned: if you have been syncing your photos without realising it, you will want to remove them.
I couldn’t figure out how to do this in bulk.
I ended up going to Photos | Synced to Phone in my profile, opening each photo in turn, and using the [Delete] menu item (or [Delete Photo] on the iPhone) at the bottom of each image.
With up to 2GB of free Photo Sync storage, one-by-one deletion could take a while.
5 comments on “Thought your private phone photos weren’t on Facebook? Think again…”
Are you sure it is on by default? When I click on “Synced”, it says “Introducing Photo Syncing” and there is no Gear Icon. There is a button “Sync Photos” which I assume will turn the feature on (this on an iPhone 4 btw)
I am on iOS 8.2.
I installed the Facebook app especially for this article, and unless I am very much mistaken, photo syncing was on by default, although it didn’t work by default because the Facebook app didn’t have permission to read my photos.
When I turned that on in Settings | Privacy | Photos and went back to the Facebook app, it had already started syncing my photos. (In my case, the screenshots I just made for the article 🙂
So I am assuming that for many people, it will probably “just work.”
We have some more info, though probably a bit dated now, here:
I have to admit that I haven’t tried the Android version of the app, but the UI is apparently similar, albeit not identical.
Hmmm…replying to self 🙂
I changed my wording to “Photo Syncing may be enabled without you being aware of it,” instead of “is on by default,” which I think is more accurate if less precise (if that makes sense :-).
Ah the iOS version is probably the issue. My iPhone 4 is on 7.1.2.
Thanks for clarifying!
There seems to be no way to turn this on for the iPhone so I just deleted the Facebook app.