Facebook bug potentially exposed photos of 6.8 million users to developers

The bug went unchecked for 12 days between September 13th and September 25, 2018

Facebook crash dialogue Android

Menlo Park social networking giant Facebook has informed its developer community that a Photos API bug may have exposed the photos of up to 6.8 million users to third-party apps.

According to a December 14th, 2018 Facebook developers blog post penned by Facebook engineering director Tomer Bar, “some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13th to September 25th, 2018.”

Bar explained that the bug may have affected up to 1,500 apps built by 876 developers.

“The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos,” wrote Bar in the same post.

Bar explained that Facebook’s platform usually only allows access to photos shared on a user’s timeline.

However, the bug potentially gave access to photos shared on the Facebook Marketplace as well as through Facebook Stories.

“The bug also impacted photos that people uploaded to Facebook but chose not to post,” wrote Bar.

“For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post.”

Bar said that users affected by the bug will be notified through a Facebook alert, where they’ll be directed to the platform’s help centre.

Additionally, Facebook is working to roll out tools that will allow developers to determine which users may have been affected by the bug.

Bar explained that Facebook will work with developers to make sure that photos affected by the bug are deleted.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” concluded Bar.

The Photo API bug follows in the wake of the Facebook ‘View As’ hack, which was initially thought to have affected approximately 50 million users, but was then revised to approximately 30 million users.

This is the most recent Facebook privacy scandal, and the company has spent much of 2018 attempting to win back public trust following the Cambridge Analytica privacy breach and the most recent View As hack.

MobileSyrup has reached out to Facebook and the Office of the Privacy Commissioner of Canada for comment. This story will be updated with a response.

Source: Facebook


  • Sameer Chhabra

    Sameer Chhabra is a recent graduate from the University of Western Ontario’s Master of Media in Journalism and Communication program. In his free time, Sameer can be found watching Aaron Sorkin-penned dramas and trying to learn about the stories that Canadians don’t know they don’t know.