A researcher has discovered a privacy bug in the Facebook Android app that enables an attacker to view and download any images that a user sends to Facebook. The problem derives from the fact that the app, along with the official Facebook Messenger app for Android, don’t send those images over HTTPS, even though the apps are meant to do so.
The researcher, Mohamed Ramadan, reported the vulnerability to Facebook in February, and the company fixed the issue, Ramadan said. The bug affected the official Facebook and Facebook Messenger apps for Android, both of which are designed to send requests via a secure HTTPS connection. However, Ramadan found that in some cases the apps would send requests to the Facebook servers over plain HTTP. Specifically, he noticed that it happened when uploading photos.
What that means is that an attacker who is able to capture a target’s wireless traffic would be able to grab whatever images the target is uploading. The attacker could then do whatever he chooses with the photos.
“I found that the official Facebook Messenger and Facebook app for android latest version are sending and receiving images using HTTP protocol and any one on the same wireless network can sniff my traffic and view all images or even replace it with his own images,” Ramadan said in his report to Facebook.
Facebook took a month or so to respond to the report, Ramadan said, but when they did, they said that the security team had been able to reproduce the bugs and was going to pay Ramadan $1,500 as part of its bug bounty program. A nice reward for a bit of security research. But then, a short while later, the Facebook security team got in touch again to say that it was adding $500 to the bounty because Ramadan had reported both the Messenger and regular app bugs.
The Android Facebook apps have been updated to fix this issue, and Ramadan said he recommends that users install the updates to avoid running into a problem with their private photos ending up in the wrong hands.
“It is time to update your Facebook apps right now, if you are a bit lazy like me and forget to update android apps then UPDATE NOW!” he said.