On its developers blog today, Facebook disclosed a major photo API bug that left the private images of millions of users exposed to third-party apps. The bug, which has been fixed, was live from September 13, 2018 to September 25, 2018. During that time, some third-party apps may have had permission to access images uploaded to the service but not posted, as well as photos shared outside of the user’s timeline.
Facebook users can grant third-party apps permission to access images they’ve shared on the platform, but that permission is “usually” limited to photos the user published on their timeline, according to the company. The photo API bug may have given some third-party apps permission beyond timeline images, however, also including ones uploaded to the platform but not published, Facebook Stories content, and images shared on Marketplace.
As of its initial disclosure on December 14, Facebook said, ‘Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.’
Facebook plans to alert users who were potentially affected by the bug. A new Help Center page on Facebook’s support website provides a tool that shows users whether they have used any apps that potentially had access to their private images. As well, the company will provide app developers with a tool “early next week” that shows whether their apps were affected by the photo API bug.
“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” the company said in its disclosure.
The bug is the latest in a growing number of privacy debacles at Facebook. Earlier this year, the company suspended hundreds of third-party apps during its Cambridge Analytica scandal, which had revealed that data on 87 million Facebook users had been harvested and improperly used.