Facebook bug exposes 6.8 million users' hidden photos to thousands of third-party apps

Bug is latest in series of high-profile privacy scandals at the social network

Anthony Cuthbertson
Friday 14 December 2018 18:16 GMT
Comments
(PA)

Your support helps us to tell the story

This election is still a dead heat, according to most polls. In a fight with such wafer-thin margins, we need reporters on the ground talking to the people Trump and Harris are courting. Your support allows us to keep sending journalists to the story.

The Independent is trusted by 27 million Americans from across the entire political spectrum every month. Unlike many other quality news outlets, we choose not to lock you out of our reporting and analysis with paywalls. But quality journalism must still be paid for.

Help us keep bring these critical stories to light. Your support makes all the difference.

Facebook has once again been hit by a major bug exposing the accounts of millions of users.

The bug gave third-party apps access to photos of up to 6.8 million users, though Facebook says the issue has now been fixed.

“We’re sorry this happened,” Facebook’s engineering director Tomer Bar wrote in a post detailing the bug.

“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

The bug gave up to 1,500 third-party apps access to photos between 13 September and 26 September 2018, Mr Bar revealed.

People affected by the bug will be notified by a Facebook alert, which will give more information about the issue.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” he said.

Security experts tell The Independent that Facebook ignored basic risk procedures in rolling out the update containing the bug.

"This defect should never have been pushed into production," said Andrew Van der Stock, a senior principal consultant at software firm Synopsys.

"Simple threat model would have discovered this flaw before any code was written... Possibly the developers might have been unaware of this basic principle, as it’s typically not taught in many computer science degrees. Both of these basic activities indicate developers and security folks must work together during the design and implementation of the API, rather than after it was released.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in