Vulnerabilidade na Photo API do Facebook expõe fotos de 6,8 milhões de utilizadores

Vulnerabilidade na Photo API do Facebook expõe fotos de 6,8 milhões de utilizadores.

O Facebook anunciou que fotos de 6,8 milhões de utilizadores podem ter sido expostas por uma vulnerabilidades na Photo API, permitindo que aplicações de terceiros comuniquem diretamente com a API para fins de exfiltração.

Esta falha impactou mais de 870 programadores e apenas as apps com acesso à fotos dos utilizadores poderiam ter explorado a vulnerabilidade in-the-wild.

De acordo com o a equipa interna de desenvolvimento do Facebook; os autores da descoberta; a falha expôs fotos de utilizadores durante 12 dias, entre 13 de setembro e 25 de setembro de 2018.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.

As apps que recebem acesso às fotos podem aceder apenas a imagens partilhadas na cronologia do utilizador. A vulnerabilidade também poderia ter exposto outras fotos, incluindo aquelas partilhadas no Facebook Marketplace ou via Stories, e até mesmo fotos que foram apenas enviadas, mas que não foram publicadas.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.

Atualmente o Facebook está a notificar todos os utilizadores impactados através de uma notificação enviada para a sua conta da rede social:

“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.
“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”

Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.