Facebook announced that photos of 6.8 Million users might have been exposed by a bug in the Photo API allowing third-party apps to access them.
The bug impacted up over 870 developers, only apps granted access to photos by the user could have exploited the bug.
According to Facebook, the flaw exposed user photos for 12 days, between September 13 and September 25, 2018.
The flaw was discovered by the Facebook internal team and impacted users who had utilized Facebook Login and allowed third-party apps to access their photos.
“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.
Theoretically, applications that are granted access to photos could access only images shared on a user’s timeline. The bug could have exposed also other photos, including ones shared on Facebook Marketplace or via Stories, and even photos that were only uploaded but not posted.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.
Facebook is notifying impacted people via an alert in their account.
“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.
“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”
(Security Affairs –Facebook, privacy)