Pictures users “uploaded to Facebook but chose not to post,” as well as Facebook Stories, were left vulnerable
Facebook announced on Friday that a software bug exposed the private photos of millions of users to app developers, marking the latest security issue in a year full of them for the social network.
“We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018,” engineer Tomer Bar said in a post aimed at developers.
Bar explained that apps are typically allowed to access photos that users have shared to their timelines, but the bug gave developers the pictures shared on Marketplace and Facebook Stories as well. Pictures that users “uploaded to Facebook but chose not to post” were also vulnerable to being lifted by developers.
The issue has impacted up to 6.8 million users and up to 1,500 apps, according to the post. The only apps that were affected by the bug had been authorized by users to access their phones, Bar added. The company will notify users potentially hit by the bug with an alert on Facebook.
“We’re sorry this happened,” Bar said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Facebook has been hit by several security issues this year — most notably the Cambridge Analytica data leak that came to light in March, which exposed up to 87 million users by having their profile information grabbed by the political firm in 2014. In September, the phone numbers and search history of about 30 million users were also vulnerable to a Facebook security breach.
Facebook shares decreased by 0.25 percent in early morning trading, hitting $144.65 per share.