A Bug Exposed Millions of Facebook Users’ Unpublished Photos to Apps

Facebook's stock security banner

We expect a level of control when it comes to publishing content, and sometimes we don’t want some things published — even if we’ve uploaded them to a service.

Well, turns out Facebook has found itself in a bit of hot water yet again. The social network has confirmed that between September 12 and September 25, there was a photo API bug that gave access to unpublished photos to app developers. Specifically, for Facebook users who had previously given apps permission to pull Timeline photos, Marketplace photos, and Facebook Stories, the bug also made it possible for those apps to also gain access to photos they had uploaded to Facebook but not actually ever shared publicly.

This is the first time that Facebook has mentioned anything about this photo API bug. According to TechCrunch, upon further inquiry from the publication, the social network says it discovered the bug on September 25 and patched it that same day. Still, millions of users were affected by the bug, between 5.6 million and 6.8 million profiles.

“Facebook initially didn’t disclose when it discovered the bug, but in response to TechCrunch’s inquiry, a spokesperson says that it was discovered and fixed on September 25th. They say it took time for the company to investigate whch apps and people were impacted, and build and translate the warning notification it will send impacted users. The delay could put Facebook at risk of GDPR fines for not promptly disclosing the issue within 72 hours that can go up to 20 million pounds or 4 percent of annual global revenue.”

Facebook says it’s “sorry this happened”, but that’s about it. The social network says it will deliver tools next week to give to app developers to find out if they have user photos they shouldn’t, and then a way to delete them. Facebook also plans on emailing users who were affected by the bug, which should be accessible in a notification within the Help Center. The company is also suggesting users should log into apps to find out if they have access to photos they shouldn’t.

Facebook also says that photos that were shared privately in Messenger weren’t accessible. And photos that weren’t uploaded to Facebook shouldn’t be affected, either.

There is a lot to unpack here, especially in terms of discovering something new that Facebook apparently has access to. Facebook appears to keep photos you didn’t share publicly, even if you didn’t finish uploading them. And the fact those photos can then be shared to third-party entities isn’t great. It feels like the company is just on a downward slope it cant’ get off.

[via TechCrunch]