Facebook Bug Leaves Photos of 6.8 Million Users Vulnerable

Another Facebook bug has reportedly affected almost 7 million users who shared photos with up to 1,500 apps, according to the company.

ABC News reports that Facebook has suffered yet another internal bug which left the personal data of their users at risk. A post on the company’s developer blog states: “Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.”

The post further explains the situation stating: “When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post.”

According to Facebook, this latest bug could affect “up to 6.8 million users and up to 1,500 apps built by 876 developers.” The company stated that: “The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” Users affected by the bug were notified via a Facebook alert, the company stated.

In October, Facebook revealed that a bug allowed hackers to steal the security tokens of other users accounts and use these to then access that user’s account. These security tokens are like digital keys which keep users logged into Facebook so they don’t have to re-login every time they visit the website.

It later came to light that the same security tokens could be used to access accounts of websites that use the “Facebook Login” feature. This means that any third-party app that uses the “Facebook Login” feature could be at risk, including apps such as Instagram, Tinder, Airbnb and many others. Guy Rosen, Facebook’s vice president of product management, stated in the blog post revealing the bug: “The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves.”

In January, Wired reported that a bug in Facebook’s ad-targeting tools allowed advertisers to gain Facebook users’ phone numbers from their email address and even allowed gave advertisers access to the phone numbers of users that visited a particular web page. The issue was reported by a group of researchers from the U.S., France, and Germany at the end of May. Facebook paid out a “bug bounty” of $5000 to the researchers at the time and implemented a fix for the bug on December 22.

And of course, most infamously, the Cambridge Analytica data scandal left the user data of 87 million users vulnerable. A class-action lawsuit has since been taken against Facebook over the data breach.