FACEBOOK disclosed the latest in an ongoing series of privacy and security lapses that have come to define the company in 2018. For nearly two weeks in September, a bug let third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not the company said today. These apps were authorized to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories as well as photos that people uploaded but never posted (because Facebook saved a copy anyway).
The exposure occurred between September 12th and September 25th.
Affected users will receive a notification alerting them that their photos may have been exposed and which apps might have their photos on hand, or you can head to this page now to see whether you’re one of the millions affected. Facebook also says it’ll be working with developers to delete copies of photos they weren’t supposed to access. In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.
Facebook said the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos, so , you’re potentially at risk if you use Facebook Login to sign into apps .
“We’re sorry this happened,” writes Tomer Bar, engineering director at Facebook. The disclosure comes exactly one day after Facebook opened a pop-up installation in New York to show people how “you can manage your privacy” on the site.
Bugs happen, even to the most rigorous companies. “We can’t ever expect to get to a point where there are no vulnerabilities left,” says Alex Rice, CTO of the bug bounty development organization HackerOne. “And there’s a lot of anger and finger pointing and frustration about how do we still have security bugs and privacy bugs, and how are these things still happening?”
The year 2018 has been a battle year for the social media giant Facebook moving from Cambridge Analytica scandal, to Facebook mishandled user data or failure to stop the spread of fake news or targeted George Soros for opposition research.
The delay to report this insident when noticed in Swptember 12 could put Facebook at risk of GDPR fines for not promptly disclosing the issue within 72 hours that can go up to 20 million pounds or 4 percent of annual global revenue.
However, Facebook claimed it notified the IDPC that oversees GDPR on November 22nd, as soon as it established the bug was considered a reportable breach under GDPR guidelines. It says that it had to investigate to make that conclusion and let the IDPC know within 72 hours once it had. “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s
Facebook says the bug did not impact photos privately shared through Messenger. The bug wouldn’t have exposed photos users never uploaded to Facebook from their camera roll or computer. But photos users uploaded but either decided not to post, that got interrupted by connectivity issues, or that they otherwise never finished sharing could have winded up with app developers.
The privacy failure will further weaken confidence that Facebook is a responsible steward for our private data. It follows Facebook’s massive security breach that allowed hackers to scrape 30 million people’s information back in September. There was also November’s bug allowing websites to read users’ Likes, October’s bug that mistakenly deleted people’s Live videos, and May’s bug that changed people’s status update composer privacy settings. It increasingly looks like the social network has gotten too big for the company to secure. Curiously, Facebook discovered the bug on September 25th, the same day as its 30 million user breach. Perhaps it kept a lid on the situation in hopes of not creating an even bigger scandal.
That it keeps photos you partially uploaded but never posted in the first place is creepy, but the fact that these could be exposed to third-party developers is truly unacceptable. And it seems Facebook is so tired of its failings that it couldn’t put forward even a seemingly heartfelt apology is telling. This company’s troubles are not only souring users on Facebook, but employees and the tech industry as large as well. CEO Mark Zuckerberg told Congress earlier this year that “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” What does Facebook deserve at this point?