A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.
Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on in many mobile phones.
Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.
Facebook app would retrieve the synced photos using a top level access token making an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.
Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.