He recently scored $12,500 from Facebook for noticing that you could delete other people’s photos from Facebook.
He grafted a Facebook for Android authentication token into a plain old web request to Facebook, and found that he could have deleted other people’s photo albums.
All he had to do was guess the numeric ID of the album he wanted to remove.
Somehow, Facebook didn’t match up the owner of the login token (unique to you) with the owner of the photo album.
So, as long as you were authenticated to delete some photos, you could in theory delete any photos, provided those photos were already public.
That bug wasn’t a privacy issue, given that the photos were already published, but it was definitely a Security Bypass or Denial of Service vulnerability!
After all, if I invite you into my art gallery to view my paintings, I’m not implicitly giving you permission to take them with you when leave.
Laxman does it again
Anyway, Laxman has done it again.
This time, the problem was one of confidentiality, not availability.
Simply put, he found that, if you had Facebook’s Photo Sync feature turned on, then any app with permission to access photos on your phone could access your synced photos, too.
Photo Sync means that whenever you take photos with your phone (and that includes screenshots, by the way), Facebook’s app automatically uploads them to Facebook’s cloud in case you want to publish them online later.
We can’t think why that’s a good idea, but many people seem to find the feature useful because:
- You get an automatic backup of every photo.
- Uploaded photos are private by default, so they aren’t visible to other people until you want them to be.
- It makes it convenient to share photos later on.
Laxman’s bug was the fact that apps other than Facebook’s own could read those synced photos back from the cloud.
Obviously, if you’ve authorised an app to access the photos on your device, you have already accepted the risk of allowing that app to do unsavoury things with private snapshots you might take.
So this is not an earth-moving bug, but it’s definitely a security hole.
After all, by authorising a mobile app to access photos on a specific mobile device, you almost certainly didn’t intend to give that app access to your synced-to-Facebook photos as well.
Indeed, your synced Facebook photos might include images and screenshots taken on other devices, where that app has no authority at all.
Facebook agreed that this wasn’t supposed to happen, closed the hole very quickly (now, only Facebook’s own app is allowed to access synced photos), and awarded Laxman another $10,000.
What to do?
You don’t have to apply any patches in this case: the bug was on Facebook’s servers and was fixed there, thus immediately slamming the door on this loophole for everyone.
But it might well be a timely reminder to check your privacy settings, because Photo Syncing may be enabled without you being aware of it.
To turn it off, you can follow Facebook’s instructions.
If you have an iPhone, you can also control which apps can access your photos in the first place, using the Settings | Privacy | Photos page.
Be warned: if you have been syncing your photos without realising it, you will want to remove them.
I couldn’t figure out how to do this in bulk.
I ended up going to Photos | Synced to Phone in my profile, opening each photo in turn, and using the [Delete] menu item (or [Delete Photo] on the iPhone) at the bottom of each image.
With up to 2GB of free Photo Sync storage, one-by-one deletion could take a while.