Facebook has announced that up to 1500 third-party Facebook apps had access to user photos that they were not supposed to be able to access – including unpublished photos. The self-inflicted privacy hole was due to a ‘bug’ in the Facebook photo API which, Facebook says, granted the apps unpermitted access to the photos of as many as 6.8 million Facebook users for 12 days in September of 2018.
Facebook quietly revealed the issue on Friday in a statement to (only) their Facebook Developer community, saying that the issue was a ‘bug’ in their photo API, although we suspect that by ‘bug’ they may mean ‘mistake’.
Said Facebook in the statement,“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.
Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.”
Now, it has been known for at least (in fact just about exactly) 5 years that Facebook monitors what you type even if you don’t send it, and it’s also the case that it’s possible for someone to gain access to your deleted Facebook posts, so nobody should be surprised at the lack of privacy or security when it comes to Facebook (even if you believe that Facebook is doing everything it can to keep your data secure – anyone here believe that?)
However, if a picture is worth a thousand words, and if unpublished images that Facebook’s users chose not to share publicly have been exposed – to the tune of the images belonging to potentially 6.8million Facebook users, through 1500 apps, well, that’s a whole lot of words’ worth and stories potentially exposed. A single image unintentionally made public can wreak havoc; a single image fallen into the hands of the wrong person can destroy someone’s life.
In their statement Facebook says that they will be providing developers with a tool to allow the developers to figure out who using the developer’s app may have been impacted, and then working with the developers to delete those photos. As if all 1500 developers are going to simply delete this windfall resource.
Facebook goes on to say that “We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”
If you get such a notification, please share whatever info (link to the Help Center page, list of affected apps, etc.) in a comment.
In the meantime, Facebook would like you to know that “We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to.”