The photo leakage can happen once a user gives an app permission to access location information on an iPhone (or iPad or iPod Touch), according to The New York Times. The app "can copy the user’s entire photo library, without any further notification or warning, according to app developers."
It is unclear whether any apps in Apple’s App Store are illicitly copying user photos. Although Apple’s rules do not specifically forbid photo copying, Apple says it screens all apps submitted to the store, a process that should catch nefarious behavior on the part of developers. But copying address book data was against Apple’s rules, and the company approved many popular apps that collected that information.
Apple declined to comment to the newspaper; we've also asked Apple about the issue, and will update this post if we hear back.
The newspaper said it "asked a developer, who asked not to be named because he worked for a popular app maker and did not want to involve his employer, to create a test application that collected photos and location information from an iPhone. When the test app, PhotoSpy, was opened, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server.
(The app was not submitted to the App Store.)"
Developers know that "this capability exists," the Times said, but they "assumed that Apple would ensure that apps that inappropriately exploited it did not make it into the App Store. Based on recent revelations, phone owners cannot be sure."