Another breach hits Facebook as API bug exposes 6.8 million users’ photos
- The private photos exposed includes those shared on Marketplace or Facebook stories.
- The leaked private photos were accessed by 1,500 apps built by 876 developers.
Facebook has come under fire again for a new bug that leaked the private photos of nearly 6.8 million users to third-party apps. A Photo API bug was present in its backend code and exposed users’ private photos between September 13 and September 25, 2018.
Impact of the bug
In a press release, Facebook said that the bug provided a broader access to the users’ public photos. This includes the photos shared on Marketplace or Facebook stories.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post,” said Tomer Bar, a Facebook Developer in a blog post.
The leaked private photos are accessed by 1,500 apps built by 876 developers. These apps are the one that gained permission to access photos from Facebook during the installation.
Addressing the issue
The firm is working on addressing the issue. It will be working with app developers to delete the photos of the impacted users. In addition, it will be notifying the impacted users via an alert on Facebook.
“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they'll be able to see if they've used any apps that were affected by the bug,” said Tomer.
The firm has also urged users to check for the apps which have the permission to access their Facebook photos.