A security researcher recently discovered certain iOS and Android apps were able to see your private Facebook photos without your knowledge. Upon being informed about the matter, Facebook only needed 30 minutes to patch the security issue, although the company’s troubles may be far from over.
Even though the security flaw is fixed, the fact remains that personal photos were still accessible to any mobile application that obtained access to a Facebook account. The Register reports that as long as developers were aware of the exploit, they could have instructed their apps to take advantage of it and swipe both public and private photos in a matter of seconds.
“Facebook mobile application has a feature called ‘Sync photos’ which help us to keep a backup (up to 2GB) of our mobile photos,” the security expert wrote. “This feature enables Facebook mobile application to upload all the photos taken by your mobile to your account and it would remain private until you publish it. Sync photos feature is turned on by default in some mobile phones. We can control it in the app settings. Most of us are unaware of this feature. If you don’t want Facebook to back up your photos, go to app settings and turn it off.”
Facebook fixed the problem by whitelisting the official apps that are supposed to access photos, thus blocking all others that could have used the security flaw to gain access to private images.
Not too long ago, Muthiyah discovered a different security bug that allowed users to delete any Facebook photo album. That bug should also be fixed now.