Facebook bug exposed private photos of 6.8M users to third-party developers

Another day, another privacy breach – This time, the social media giant Facebook has announced that a bug in its Photo API exposed private photos of over 6.8 million users to third-party app developers.

The breach took place from September 13 to September 25, 2018, which means for 12 days straight some developers could view your personal and private photos without any restriction and without your consent. The company believes that up to 1,500 apps built by 876 developers had access to user’s photos.

This included photos uploaded by users on their Facebook Stories and Marketplace. Unsurprising, this also included photos that users uploaded to Facebook but decided to post. It is noteworthy that Facebook saves a copy of everything a user does on the timeline box including unpublished statues and photos.

See: Facebook Monitors Everything You Type Even If You DON’T Post

“If someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” wrote Facebook’s engineer director Tomer Bar.

Although the bug has been fixed, Facebook will get in touch with you if your private photos were inappropriately accessed by these developers. Furthermore, the company maintains that it is working with developers to delete the photos from impacted users.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” said Bar.

Image credit: Facebook

This is not the first time when a Facebook bug exposed the personal content of users. In June this year, a bug exposed private posts of 14 million users to the public. Moreover, in October this year, the company announced that hackers stole data of over 30 million users (including their phone numbers and location data) after exploiting a vulnerability in its “View As” feature in September.

See: How to Delete Your Facebook Account Permanently – 2018 Guide

Nevertheless, to avoid embarrassment, the company also launched a bug bounty program last month urging hackers and security researchers to report flaws in Facebook, Instagram, WhatsApp, and Oculus to earn $25,000 to $40,000.

On the other hand, a couple of days ago, Google+ also made headlines for exposing personal data of 53 million users to third-party developers due to a bug in Google+ API. The recent incident forced the company to announce the shut down of Google+ website and app earlier than previously anticipated.

Related Posts