Another day, another Facebook data scandal. The latest privacy blunder from the Menlo Park firm involves personal photos.
Facebook revealed in a developer update on Friday that a bug in its Photo API may have given app developers access to photos of nearly 6.8 million users — even if those photos weren’t shared publicly.
The social media juggernaut told TechCrunch that it had discovered and fixed the security vulnerability on Sept. 25. But, apparently, the flaw was active for 12 days between Sept. 13 and Sept. 25, 2018.
Specifically, Facebook wrote that the bug affected users who “used Facebook Login and granted permissions to third-party apps to access their photos.”
This photo access is typically only granted to pictures that users post on their Timeline. But the security flaw potentially gave developers access to other photos, like pictures shared on Facebook’s Marketplace or through the Facebook Stories features.
“The bug also impacted photos that people uploaded to Facebook but chose not to post,” the company added.
Currently, the social media company estimates that about 1,500 apps from 876 different developers were impacted by the security vulnerability. All in all, those apps were used by about 6.8 million users.
Starting next week, the company will provide app developers with tools that will allow them to check whether they, or their users, were impacted. It will also work with app developers to delete photos that they shouldn’t have had access to.
Similarly, Facebook will begin notifying users it suspects were impacted by notification. Clicking on the notification will bring users to the Help Center, where they can see if a particular app they use was affected.
TechCrunch adds that the flaw likely didn’t impact photos shared privately through Messenger. Photos also had to be uploaded to Facebook to be shared — so pictures on your camera roll are probably safe.
This is only the latest in a series of recent Facebook data scandals and cybersecurity blunders. It’s safe to say that trust in the company’s data practices has been thoroughly eroded. This latest breach doesn’t bode well for the firm, either.
“We’re sorry this happened,” read the apology that concluded Facebook’s security disclosure.