Laxman Muthiyah found that any app could get access to private photos by exploiting a weakness in Facebook’s API and pretending to be an app that is actually meant to view the photos.
Facebook has already patched the vulnerability, reportedly closing the security hole in 30 minutes by whitelisting official apps that are meant to have access, blocking those that could have used the site’s vulnerability to gain access to images they weren’t supposed to.
Here’s how Muthiyah described the vulnerability:
There are large numbers of Facebook applications which uses user_photos permission to read user’s public photos. A malicious app which you are using can read all of your private photos in few seconds.
The problem of malicious apps accessing photos that are meant to remain private is one that has existed for a long time, and not just on Facebook. Last year, a Snapchat client was discovered to have been storing private photos and videos, and its database of images was hacked and posted online.
One reason why security researchers spend so long hunting for bugs in Facebook is the fact that it offers large cash rewards. Muthiyah received a $10,000 reward for his research.
Here’s the message that Muthiyah received after Facebook fixed the flaw:
This article originally appeared in Business Insider. Copyright 2015.
