More on Facebook Photo Leak - Threatwire Crosspost (Patreon)

In a news bulletin posted by Facebook on Friday, the company explained that a Photo API Bug may have affected anyone who granted third-party apps permission to access their photos. The problem was fixed, but it created a bigger issue - some third party apps may have had access to a much broader range of photos for up to 12 days, from September 13 thru September 25. Facebook discovered and remedied the bug on September 25. According to TechCrunch, the Office of the Data Protection Commissioner of the EU was notified on November 22 following the EU's guidelines. Under the GDPR, Facebook has to notify the EU of data breaches within 72 hours, and since November 22 was two months after discovery, their reasoning is that the Commission was notified once the bug was considered reportable after Facebook’s investigation.

In the bulletin by Tomer Bar on their Developer News page, he shared how Facebook grants permission to third party apps requesting access to photos. Usually, those only get access to photos shared on a timeline. The API bug gave third party devs access to photos also shared on Marketplace or on Facebook stories, as well as photos that were uploaded to Facebook but never published. How could they have access to photos that were never published? Well, Facebook stores these “drafts” for 3 days just in case you come back to the post and want to finish uploading them. Facebook determined this affected 6.8 million users and 1500 apps by 876 devs. Bar said the apps were ones Facebook had approved, and users affected were ones that had authorized access to photos. 

Facebook will be rolling out new tools for devs this week to give them a better scope of information about this bug, and they’ll also be working with devs to delete photos from impacted users. Facebook will be notifying affected users as well, with a notification on the platform. If you don’t want to wait for a notification, you can click the help link, which will take you directly to a page that can determine whether or not you were affected. Lastly, Facebook recommends that users log into any apps who may have access, to check what kind of photo access they currently have. You can check what apps have permissions to access Facebook content through your facebook settings.

It’s unknown whether devs knew they had access to private photos, or if this bug was abused by any of the third party apps.

Facebook has had data breaches or bugs every month since at least September this year with this one being the newest discovery. Is it ironic that this bug was found on the same day, September 25th, that 30 million users were impacted by a security breach as well on the platform? I wonder why we’re just hearing about this one now… Hmm...