Facebook Flaw Exposes Private Photos for 6.8M Users

The bug allowed 1,500 apps built by 876 developers to view users’ unposted “draft” photos.

Facebook on Friday disclosed a bug in its platform that it said enabled third-party apps to access unpublished photos of 6.8 million users.

Facebook stores copies of photo drafts, so if someone uploads the photo but doesn’t finish posting it, the photo will still be stored in the platform’s database. The bug gave third-party apps access to these drafted photos.

The social-media company said that it discovered the glitch in a photo application program interface (API) that plagued the platform for 12 days, between Sept. 13 to Sept 25. The bug, which has since been fixed, gave some third-party apps “access to a broader set of photos than usual,” Facebook said.

While Facebook usually only grants apps with permissions access to photos that people share on their timeline, “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” Tomer Bar, engineering director at Facebook, said in a post Friday. “The bug also impacted photos that people uploaded to Facebook but chose not to post.”

Facebook photos exposed

Facebook said that up to 6.8 million users are affected, as well as up to 1,500 apps built by 876 developers. The company said it will alert potentially impacted users.

“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” Facebook said. “We will be working with those developers to delete the photos from impacted users.”

Facebook has found itself embroiled in an array of security incidents this year – with this one only the latest.

In May, a Facebook software bug switched the “suggested audience” for posts to “public” for 14 millions of users. The glitch meant Facebook users who though they were sharing content with just friends or small groups actually made their posts available to the general public.

In September, Facebook said that hackers had exploited a flaw in its “View As” feature that left the access tokens of almost 50 million Facebook accounts ripe for the taking.

In response to data-related incidents like these and its Cambridge Analytica scandal earlier in March, Facebook has tried to step up its game around security – in March the company announced it would expand its bug bounty program in an attempt to thwart improper data handling third-party app developers.

Suggested articles