Facebook bug exposes 6.8 million users' hidden photos to thousands of third-party apps

Bug is latest in series of high-profile privacy scandals at the social network

Anthony Cuthbertson
Friday 14 December 2018 18:16 GMT

Facebook has once again been hit by a major bug exposing the accounts of millions of users.

The bug gave third-party apps access to photos of up to 6.8 million users, though Facebook says the issue has now been fixed.

“We’re sorry this happened,” Facebook’s engineering director Tomer Bar wrote in a post detailing the bug.

“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

The bug gave up to 1,500 third-party apps access to photos between 13 September and 26 September 2018, Mr Bar revealed.

People affected by the bug will be notified by a Facebook alert, which will give more information about the issue.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” he said.

Security experts tell The Independent that Facebook ignored basic risk procedures in rolling out the update containing the bug.

"This defect should never have been pushed into production," said Andrew Van der Stock, a senior principal consultant at software firm Synopsys.

"Simple threat model would have discovered this flaw before any code was written... Possibly the developers might have been unaware of this basic principle, as it’s typically not taught in many computer science degrees. Both of these basic activities indicate developers and security folks must work together during the design and implementation of the API, rather than after it was released.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in