Facebook bug exposes 6.8 million users' hidden photos to thousands of third-party apps

Support truly
independent journalism

Support Now

Find out moreClose

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Editor

Facebook has once again been hit by a major bug exposing the accounts of millions of users.

The bug gave third-party apps access to photos of up to 6.8 million users, though Facebook says the issue has now been fixed.

“We’re sorry this happened,” Facebook’s engineering director Tomer Bar wrote in a post detailing the bug.

“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

The bug gave up to 1,500 third-party apps access to photos between 13 September and 26 September 2018, Mr Bar revealed.

People affected by the bug will be notified by a Facebook alert, which will give more information about the issue.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” he said.

Security experts tell The Independent that Facebook ignored basic risk procedures in rolling out the update containing the bug.

"This defect should never have been pushed into production," said Andrew Van der Stock, a senior principal consultant at software firm Synopsys.

"Simple threat model would have discovered this flaw before any code was written... Possibly the developers might have been unaware of this basic principle, as it’s typically not taught in many computer science degrees. Both of these basic activities indicate developers and security folks must work together during the design and implementation of the API, rather than after it was released.”