Facebook has today disclosed a major bug that existed on the platform for 12 days between September 13th and September 25th, 2018. The bug has now been fixed, but it opened up access to the private photos of over 6.8 million users to apps through the photo API.
Facebook says on their Developers Blog that apps are normally given access to photos that people share on their timeline. In this instance, though, the bug offered potential access to other photos, including on the Marketplace and Facebook Stories. It also provided access to images that hadn’t been posted publicly at all yet.
Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.
Facebook plans to alert app developers who had access to the Facebook Photos API to determine which people using their app may be impacted. Facebook says that they “will be working with those developers to delete the photos of impacted users”. Given recent events, you’ll forgive me if I don’t take Facebook’s promise at face value.
They also say that they are sorry this happened and that they will be notifying those potentially impacted by the bug through an alert on Facebook. This notification will link them to a new page in the Facebook Help Center, which lists the apps they’ve used recently that were affected by the bug.
We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to.
I can’t say that I’m surprised that Facebook is having another moment in the spotlight for potential privacy issues. Whether through bugs, by design, or just plain old apathy, Facebook’s got a lot of prior form for privacy failure. I can’t imagine this will be the last such piece of news we receive from Facebook, either.
If you want to find out more, head on over to the Facebook Developers blog.