Breach, Content

Facebook API Bug Exposed 6.8M Users’ Private Photos to App Developers

Facebook has run afoul of its internal security yet again. The social media giant said last Friday that a photo API bug enabled third-party apps to see pictures belonging to nearly 7 million users the apps weren’t authorized to access.

The glitch may have allowed up to 1,500 apps from 876 developers to inappropriately tap some of people’s pictures. Of concern, the bug allowed some third-party apps to see photos that people had uploaded to the Facebook platform but hadn’t shared. Apps typically are only granted access to photos people share on their timeline.

Facebook VP Tomer Barel
Facebook VP Tomer Barel

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos,” said Tomer Bar, engineering director at Facebook, in a post. “We’re sorry this happened.”

Facebook has fixed the issue, Tomer said, and this week will offer app developers a new set of tools that will allow them to determine which people using their app might be impacted by the bug. “We will be working with those developers to delete the photos from impacted users,” he said.

The bug apparently was in action from September 13th to September 25th when Facebook discovered it. However, it wasn’t until two months later on November 22nd that it informed the European Union’s Office of the Data Protection Commissioner (IDPC), which subsequently opened an investigation. It’s not clear if Facebook will face fines under the General Data Protection Regulation (GDPR) for the apparent delay in reporting the incident.

As for the bug’s fallout, Facebook said it will notify people potentially affected through a Facebook post that will direct them to a help center link where they'll be able to see if they've used any apps that were affected by the bug.

The photo API bug may be small potatoes to, say, the Cambridge Analytica breach that affected 90 million users, but hot water is hot water. By a number of measures, the company is surrounded by it.

Facebook's Special Offer?

Recently, a U.K. legislator charged Facebook with offering a select group of notable companies special access to private user data in exchange for at least $250,000 in advertising revenue.

Damian Collins, a member of the British Parliament, accused the social media giant of making so-called “white-listing agreements,” or pay-to-play deals, that it hid for years, according to a Washington Post account. Collins, who has attained thorn-in-the-side status for Facebook, dropped the hammer when he revealed 250 documents that showed the company had made backroom deals with Airbnb, Badoo, Lyft, Netflix, the Royal Bank of Canada and Tinder to give them heightened access to its crown jewels of user data in return for big ad deals.

The allegations first arose from internal emails in court filings that revealed Facebook either granted or mulled over opening doors to its user data for companies that spent large sums of money to buy ads on its platform, as the Wall Street Journal first reported. If true, the practice would run counter to Facebook's adamant, long-held position that it does not sell user data. Materials in those disclosures also appear to contradict the company’s staunch stand that access to its platform is open and free for application developers.

The explosive claims stem from a lawsuit brought by Six4Three, a small developer Collins reportedly coerced into handing over sealed court documents implicating top Facebook executives and chairman Mark Zuckerberg in setting squishy data privacy policies. While Facebook hasn’t denied the authenticity of the documents, in a statement it called the papers "cherry-picked." The company also defended itself against claims it sold user data. The Six4Three documents, Facebook said, were “selectively leaked to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we’ve never sold people’s data.” It also stiffened on the white-listing charges, claiming that it's "common practice when testing new features and functionality with a limited set of partners before rolling out the feature more broadly."

As of December 17, Facebook's stock has slid 35 percent from its 52-week high of $218.62 five months ago.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.