Culture Internet News Security

A Facebook Photo API bug exposed unposted photos of over 6.8 Million users to third-party apps

More data breach news folks. And once again, as has been the case quite often in past few months, the platform making users vulnerable is Facebook. 

A fresh bug, revealed by the controversial (have to add this adjective now!) social networking giant has now given third party apps, access to user photos even if they never really permitted the apps for the same. Thsi bug affects over 6.8 Million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos. The numbers are fairly large, and considering how bug detection works, more users and apps could have been affected.

So what exactly has been leaked ? Well, basically if you are a user who gave access to one of those 1500 affected apps to use your photos, there are high chances that photos you did not allow to be shared, have also been shared with the app. For example, when you upload a photo to Facebook but are unable to finish posting it – because of lost reception or lost retention to post it – Facebook stores a copy of that photo for three days so the person has it when they come back to the app to complete their post. Such half-baked uploads are also the ones which could have been leaked.

The bug has been fixed for now, but it lasted for an estimated period of 12 days between September 13 to September 25, 2018.

Facebook hasn’t really made it clear as to when it discovered the bug. In a response to TechCrunch, the company said it discovered the bug on September 25th. They say it took time for the company to investigate which apps and people were impacted, and build and translate the warning notification it will send impacted users.

In terms of apology, the company has really gone out of their way with a serious effort to resolving your leaked data issues (pun intended). Want to know how ? By this sentence :

We’re sorry this happened.

That is all Facebook has to offer in terms of an apology. Pretty sarcastic when it comes from a company whose founder was seen saying this to the US Congress :

We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.

What Facebook does or does not deserve after this, is for you and us to ponder.