UPDATE
Facebook said that 100 third-party app developers have improperly accessed the names and profile pictures of members in various Facebook groups – data that was restricted in 2018 by the platform after its Cambridge Analytica privacy snafu.
Facebook said that the developers – including 11 in the past two months alone – had improper access to the data through the Groups API. Groups API is an interface between Facebook and third-party apps, where the app can integrate with a group if it has been authorized by the administrators. Once the administrators approve the app, developers can access a broad level of data about the group – including the group’s name, the number of users and the content of posts.
App developers are supposed to now only get further information about the groups – including names and profile pictures of members connected with group activity – if the group members opt in. That’s due to a 2018 data restriction rule for the Groups API introduced by Facebook on the heels of Cambridge Analytica.
However, “today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time,” said Konstantinos Papamiltiadis, director of developer platforms and programs at Facebook, in a Tuesday post. “Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”
That’s because, “as part of an ongoing review of the ways people can use Facebook to share data with outside companies, we recently found that some apps retained access to group member information for longer than we intended,” a Facebook spokesperson told Threatpost. “We have since removed their access and have seen no evidence of abuse.”
Facebook told Threatpost said it didn’t have any more details to share regarding the number of Facebook groups impacted or how long the data was retained for.
Facebook also did not specify the names of the apps or the developers when asked by Threatpost, but said that the apps were primarily social-media management and video-streaming apps, designed to make it easier for group admins to manage their groups more effectively and to help members share videos to their groups.
“For example, if a business managed a large community consisting of many members across multiple groups, they could use a social-media management app to provide customer service, including customized responses, at scale,” said Papamiltiadis. “But while this access provided benefits to people and groups on Facebook, we made the decision to remove it and are following through on that approach.”
Facebook said they’ve seen no evidence of abuse, but will ask developers to delete any member data they retained. The social-media company said it will conduct audits to confirm that all improperly-collected data has been deleted.
The 2018 data restriction, which also required app developers using the Groups API to get approval from Facebook to integrate their apps to groups, also impacted other APIs on the platform, including the Pages API, Events API, Instagram Platform API and more.
“API Access should be treated as privileged and any access to API’s should follow privileged access management best practice security to ensure that access is approved and authorized,” Joseph Carson, chief security scientist at Thycotic, told Threatpost.
The 2018 restrictions came on the heels of outcry around third-party developer access. In fact, a 2018 Trustlook survey found that at least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API, which were allowing apps to access a range of information from Facebook profiles, like name, location and email address.
“APIs typically allow automation and integration to ensure that applications can perform the tasks to function properly,” Carson said. “However, many companies focus on making them available quickly and on ease of use then try plugging security controls into them after they have already been available for long periods of time. In some instances, when security is more difficult, companies have to change the way the API works or revoke the access to the API altogether which is what Facebook has done in this latest privacy failure.”
The announcement comes as Facebook continues looking to stomp out privacy issues on its platform more than a year after the Cambridge Analytica incident — and amidst several other Facebook data security problems over the past year (such as sketchy data sharing partnerships and other privacy violations).
Some say Tuesday’s announcement points to the social-media company’s efforts to be more transparent about the privacy issues on its platform. “It’s a positive sign to see Facebook tightening up their Groups feature API and communicating in a transparent way,” Matt Walmsley, EMEA director at Vectra, told Threatpost. “Although no malicious use of Groups’ members’ data extracted via the unintended API capabilities has been reported, Facebook’s announced changes really should have been identified and implemented back in April 2018 when they made their respective policy change.”
This article was updated Nov. 6 at 1pm to reflect further statements from Facebook.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.