Facebook app is spying on you through your camera without permission

A report recently published by a web application security specialist mentions that Facebook may be enabling the front camera on some smartphone models (specifically iPhone) without consent while users scroll though the company app.

Via Twitter, user Joshua Maddux, in charge of the report, reported the discovery of this anomalous behavior in the Facebook app for the iOS mobile system. In his post, the expert showed that his iPhone’s camera was active in the background while he was browsing his Facebook profile.

In the expert’ post it can be seen that by simply opening a photo in the Facebook app and swiping down, will trigger the error. At one of the edges of the screen it is even possible to see a fragment of the camera feed. Web application security experts from the specialized TNW platform replicated the actions described by Maddux, obtaining the expected result.

In the background it can be seen the live feed of the user’s camera. Source: Joshua Maddux

In later tweets, Joshua Maddux claims that he successfully tested this error on five different iPhone models (all with iOS 13.2.2), although the flaw does not appear to exist in iOS 12, or at least not in the same way; “In iOS 12 it is not possible to see at first glance the camera feed, although I cannot claim or deny that it is active in the background”, he mentions.

Some users decided to test the error for themselves, finding exactly the same situation that Maddux claimed; other users discovered that, for the error to be presented as described in the report, the user must have previously granted the Facebook app permission to access the camera. Otherwise, a system message will be displayed informing users about denied access to the camera.

Web app security specialists were unsuccessful in trying to reproduce the error on Android 10 smartphones, so it only seems to affect the Facebook app for iOS.

Although some members of the cybersecurity community have already set out to try to determine whether this is an intentional behavior or a simple bug in the app, there is no clear explanation yet. The company is not yet officially pronounced, although most expect Facebook to claim that it is a flaw in the app.

Until we learn more about this discovery, experts from the International Institute of Cyber Security (IICS) remind smartphone users that not only Facebook, but any other app that has permission to access the camera of the device, could be activated without your consent for malicious purposes.