Facebook fixes “peeping tom” webcam bug

Thanks to benevolent security researches, a bug that could have allowed hackers to take over Facebook users' webcams has been squashed.


Fidel Martinez

Internet Culture

Posted on Jan 2, 2013   Updated on Jun 2, 2021, 4:24 am CDT

Facebook announced Wednesday that it had fixed a security issue that would surely have caused the social network a lot of grief and public embarrassment.

A company spokesperson who spoke with Bloomberg confirmed that they had squelched a “peeping Tom” bug that would allowed hackers to use the webcams of unsuspecting Facebook subscribers to record and post videos on their behalf.

Facebook first learned of the bug back July when Aditya Gupta and Subho Halder, two Indian hackers who founded XY Security, notified the social network of the vulnerability. The company will be paying Gupta and Halder $2,500 for their information as part of its white hat program, a bounty system that encourages hackers and security experts to notify Facebook of potential security breaches in exchange for cash.

Gupta broke the news via his personal blog.

“Also, just few hours back, Subho Halder got an email from Facebook Security that we (Aditya Gupta and Subho Halder) will be getting a bounty of $2500 for a bug that we submitted 4 months back, that will come as a Facebook WhiteHat Debit Card,” he wrote.

“The issue was in the video upload feature (via Webcam) of Facebook, as they didnt [sic] had proper security checks enforced. Using this, an attacker could trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.”

For its part, Facebook maintains that there were no victims of the bug.

“This vulnerability, like many others we provide a bounty for, was only theoretical, and we have seen no evidence that it has been exploited in the wild,” spokesman Fred Wolens told the Bloomberg.

“Essentially, several things would need to go wrong—a user would need to be tricked into visiting a malicious page and clicking to activate their camera, and then after some time period, tricked into clicking again to stop/publish the video.”

Photo via bfishadow/Flickr

Share this article
*First Published: Jan 2, 2013, 7:44 pm CST