Facebook: API Bug gave apps access to images from 6.8 million users

A bug in Facebook’s Photo API bug gave apps more access to images than users had intended – even unpublished images.

Once again, Facebook has to face a serious data breach: A bug in the image processing programming interface (Photo API) for a short period in September this year saw a chance for third-party apps to have access to all the pictures from a Facebook account. However, the condition was that the user had previously granted an app access rights to certain images.

Also Read : Android Phone antivirus security applications

Table of Contents

Access to images of 6.8 million users

The company said in a blog post for software developers that they have discovered a bug in the Photo API that allows third-party apps with Facebook login between September 13th and 25th, 2018 to access “a larger set of images than usual” should have. As technical director Tomer Bar writes, the bug affects the way in which apps access the pictures of a Facebook user shared on the timeline. During the 13-day period in September, apps were also able to access other shared photos – and those that the user did not publish. Facebook admitted that it also kept unused pictures – for example, not yet sent off posts – for several days for the convenience of users.

Currently, it is assumed on Facebook that the API error has affected up to 1500 apps from 876 developers and therefore the images of 6.8 million users who used these apps have been accessed. They wanted to provide developers with a tool to check whether users of their apps were affected by it and also inform the affected users separately and show them which questionable apps were in their use.

Ambiguities remain

Although the period in which the data protection gap occurred, is relatively short. However, the comments in the blog post on the extent of unwanted access to images are quite vague – although Tomer Bar does not speak about all the pictures of a user account, it affects both shared and unpublished, in other words all the photos that users have uploaded to Facebook.

It is also unclear why the announcement was made so long after the incident. Bar just said they had fixed the bug – but not if that was already done at the end of September and then you waited for it first, or if the bug was discovered recently and the gap was closed in September, maybe just by chance. Facebook wants to work with the developers in question and make sure they delete any downloaded user photos.

Also Read : Hide conversations on Facebook Messenger and WhatsApp

Facebook versus privacy

Facebook has recently been struggling with numerous scandals involving unwanted access to user data or a hack. After the political scandal around the analysis company Cambridge Analytica , there was a hack in which millions of user data were copied because of security vulnerabilities on the website . Hackers also offered data for 120 million Facebook users , possibly from another hack.

Also in the effort to more privacy compliance, there was a recent breakdown: A DSGVO tool belonging to Facebook picture service Instagram betrayed the user password in plain text . And it has just been revealed that Android apps share a lot of data with Facebook without users wanting it – using the Facebook SDK’s analytic features.

Irish DPA determined

Meanwhile, the Irish Data Protection Commission (DPC) has launched an investigation of the various incidents on Facebook, reports Bloomberg . According to the Data Protection Regulation (DSGVO) in force in the EU, the authority had made a request to Facebook to determine a possible violation of the rules.

According to the Bloomberg report, a Facebook spokesman said that when the gap in the Photo API had now become known, it had first been checked whether the incident was subject to reporting requirements in the sense of the GDPR – when it was established that this was the case, one had Notify the competent Irish authority within the prescribed period of 72 hours.

Also Read : The Security Risks Of Login With Facebook