/>
X

Facebook bug exposed private photos of 6.8 million users

Up to 1,500 apps built by 876 developers could have had accessed the private photos of 6.8 million users.
catalin-cimpanu.jpg
Written by Catalin Cimpanu, Contributor on
facebook-photo-api-bug-notice.png
Image: Facebook

Facebook announced today another security incident affecting millions of its customers. This time, the company said that a bug in one of its APIs exposed the private photos of nearly 6.8 million users.

Facebook blamed this new leak on a Photo API bug that was present in its backend code between September 13 to September 25, 2018.

Also: Nicolas Cage: 'I hate social media' CNET

The company said that during that interval the bug allowed Facebook third-party apps to access more than just the user's public photos. Tomer Bar, a Facebook developer, provided the following explanation about the Photo API bug leak:

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post.

Bar said that a Facebook investigation revealed that 1,500 apps built by 876 developers might have been able to access the non-public photos of up to 6.8 million users.

It is unclear if any of these apps abused the bug to actually access and download users' private and non-posted photos.

Facebook said it would start notifying affected users. These include users who installed any of the 1,500 apps and gave the app permission to access their photos. The notification, displayed above, will list what apps users had installed, allowing users to uninstall them if they wished to. Users can also visit a dedicated web page to found out if they were affected.

Earlier this year, Facebook announced that an unknown threat actor had used a combination of three bugs to download personal data from over 50 million users, a number it later downgraded to 30 million.

Also: Here's how quickly Facebook rebuilt its profile on me CNET

Facebook is also the third major tech company to announce a major bug in one of its APIs. Twitter announced a similar API issue in September, and Google announced two API issues, one in October (500,000 users affected) and another one in December (52.5 million users affected).

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

Related

Microsoft to start nagging Windows 8.1 users in July about January 2023 end-of-support date
endofsupportwin81

Microsoft to start nagging Windows 8.1 users in July about January 2023 end-of-support date

Windows
A restaurant owner gives tech companies advice on how to retain staff
Women at a restaurant clinking their water glasses

A restaurant owner gives tech companies advice on how to retain staff

Business
Boomerang employees could be your best bet for fighting the talent shortage
Cheerful woman in headphones greeting friend while talking on laptop at home

Boomerang employees could be your best bet for fighting the talent shortage

Professional Development