In yet another blunder, social media giant Facebook has announced that an API bug allowed app developers to access private photos of around 6.8 million users.
Facebook said that the bug remained active for 12 days, between September 13 and September 25. To make matters even worse, up to 1,500 apps built by 876 developers had access to images that users never authorized or uploaded but not posted. The bug also affected the users who used Facebook login and gave access of their photos to the third party apps, news reported.
When users provide third-party apps access to their photos, generally the permission is only extended to photos that the user has posted to their timeline. The bug, however, allowed applications access to images that were shared on Facebook Stories and Facebook Marketplace. In case, users fail to upload their photos due to error in connection or other problems, Facebook typically stores a copy of the photo for 3 days, allowing users to get right back where they left off. The activation of the bug allowed apps access to those photos as well.
In a blog post, Facebook apologized for the bug and promised to provide tools for app developers that will help determine which users may were affected by the bug. The company intends to work with the developers to ensure that any relevant photos have been deleted. Over the coming days, Facebook plans to contact users directly that may have been impacted by the bug. The company has also set up a dedicated help center link that to further information and assistance.
As a result of the latest privacy issue, the Irish Data Protection Commissioner (DPC) said that it will begin investigating Facebook. It will examine the company’s compliance with relevant provisions of the General Data Protection Regulations (GDPR). Although Facebook didn’t revealed when it discovered the recent bug, Europe’s GDPR requires companies to report such data breaches to the relevant European within 72 hours of discovery – failure to do so can result in high amount of fines.
The overall scale of the latest bug may be relatively small to Facebook’s 2 billion-strong user base, but the news came at the sensitive time for the social media giant, which is still struggling with privacy and security issues. Apart from the highly controversial Cambridge Analytica scandal that came into public’s consciousness in March this year, Facebook has said that it accidently set privacy settings of 14 million users to ‘public’ for status update. It also revealed another data breach that impacted around 50 million user accounts.