Prime Inspiration

New Facebook bug exposes up to 6.8 million users’ private photos to app developers

by

Amarnath Natarajan
in
Facebook
Facebook

Today, Facebook disclosed a bug in their Photo API that gave app developers access to the photos of up to 6.8 million users. This bug was live for 12 days in September and allowed third-party developers to access private photos millions of users.

The Irish Data Protection Commission, the body that oversees Facebook’s compliance with European regulations, said on Friday that it had launched a “statutory inquiry” into Facebook as a result of multiple breaches the company had informed them about this year.

When it comes to third-party Facebook apps and their access to user photos, the way it works is pretty simple: apps can only access public photos which appear on a given user’s timeline. The bug in question, however, granted access to all sorts of photos, even photos that were not fully posted to the site.

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.

According to Tomer Bar, an engineering director at Facebook, the worst thing about the bug is that even photos that users started to upload to Facebook but did not post could have been accessed, along with images posted to Facebook Stories

The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.

Along with an apology, Facebook says that it plans to introduce a new tool for app developers to figure out which users might have been vulnerable to the bug. Additionally, Facebook said that it will alert individual users who may have had their photo collection compromised by the bug over the next few days.

Facebook has had an embarrassingly terrible year when it comes to user privacy. First, the Cambridge Analytica revelations exposed the company’s weak privacy policies from years past. This even made Mozilla run a petition calling for Facebook to lock down app permission settings to ensure users’ privacy is “protected by default”. Mozilla even pressed pause on all advertising on Facebook.

Second, there was a bug that accidentally “unblocked” people that users had blocked. Finally, a bug that changed users’ share settings so that they were sharing information publicly without realizing it; hackers then stole the private information for almost 30 million users right before the midterm elections.

At this point, there is no indication as to which apps, in particular, had improper access to user photos, nor is there any indication as to how many photos were improperly accessed. Facebook, meanwhile, will begin to alert users who were impacted. Here’s what the alert will look like.

Facebook Privacy Alert
Facebook Privacy Alert

Now all these bugs followed by various privacy and security mishaps from the Facebook team has started to raise multiple questions and most important of them is why would anyone trust Facebook with their personal data?

 

Tags:

, , ,
Amarnath Natarajan Avatar
Amarnath Natarajan
I am a freelance programmer and tech enthusiast. In my spare time, I contribute to this website.

Help Us Grow

If you like this post, please share it with your friends.

You are free to copy and redistribute this article in any medium or format, as long as you keep the links in the article or provide a link back to this page.

Subscribe to Newsletter

Privacy Settings

Privacy & Cookie Overview

Our website uses cookies to provide you with the best user experience possible. These cookies are stored in your browser and perform essential functions such as recognizing you when you return to our website, as well as helping us to understand which sections of the website you find most useful and engaging.

To learn more, you can read our Privacy & Cookie Policy or reach out through our Contact form.

Strictly Necessary Cookies

Strictly Necessary Cookies must always be enabled to ensure the proper functioning of this website and to allow us to provide you with excellent service. These cookies are also essential for saving your cookie preferences.

Google Adsense

We use Google AdSense to keep this site free by displaying relevant ads. AdSense requires essential cookies that cannot be disabled, but you can manage other cookies. We respect your privacy and provide options to control non-essential cookies.

For more details on how Google handles your data, visit Google's Data Usage Policy. Please review our Privacy Policy for more information on how we protect your data.

AddToAny

We use AddToAny for social sharing. It doesn’t store cookies, ensuring a privacy-friendly experience. AddToAny complies with GDPR and CCPA by default.

For more, see their Privacy Policy.

OneSignal

We use OneSignal to send notifications to users who opt in. OneSignal complies with GDPR and is certified under the EU-US and Swiss-US Privacy Shield frameworks.

For more, see their Privacy Policy.

3rd Party Cookies

This website utilizes third-party cookies, which can enhance your experience and support our ongoing efforts to improve our services.

Google Analytics

We use Google Analytics to collect anonymous data, such as visitor numbers and popular pages, to improve user experience and site performance. Keeping this cookie enabled helps us refine the site based on visitor activity.

For more information, see Google’s Privacy Policy.

Discover more from Prime Inspiration

Subscribe now to keep reading and get access to the full archive.

Continue reading