Laxman Muthiyah is an independent security researcher who recently found a bug in Facebook mobile sync function. The system vulnerability could give access to third-parties to all private photos of users. Thanks to his ‘bug investigation’, Facebook fixed the problem and rewarded him with $10,000.
The Sync Bug as a Potential Security Threat
The sync vulnerability allowed any attacker to request access to a private photo through the use of an app. Getting access to personalized image content is not a hard thing to do since most users do not read the installment agreements of software products.
The ‘sync photos feature’ is enabled by default in Facebook’s mobile application. It syncs with the account through a connection with an endpoint dubbed ‘vaultimages’ established by a Graph API call.
The independent researcher discovered that the server was easy to exploit because it accepted requests from all applications granted the permission to real mobile photos. Any suspicious app running on the mobile device could read private images. It took him only few minutes of testing to discover that the issue was the vaulimages endpoint.
In other words, the endpoint checked the owner of the access token, not the application itself.
Good news is Facebook reacted instantly and fixed the problem in less than an hour.
Bug hunting may seem weird, but it has proven to be an effective way to make a living. As a matter of fact, this is not the first occasion when Laxman Muthiyah finds and reports vulnerabilities to Facebook. In February this year he discovered he could delete any photo album on the social network, using only four lines of code. The bug exposure brought him a reward of $12,500.