Facebook revealed more bad news about the lack of security on its platform. In a post on its Developer News site, Facebook notified developers that a photo API bug was discovered that “may have affected people who used Facebook Login and granted permission to third-party apps to access their photos.”
Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones Facebook approved to access the photos API and that individuals had authorized to access their photos.
The bug “potentially” gave developers access to photos shared on Marketplace or Facebook Stories. It also impacted photos that people uploaded to Facebook but chose not to post.
How is that possible? According to Facebook, “if someone uploads a photo to Facebook but doesn’t finish posting it… we store a copy of that photo so the person has it when they come back to the app to complete their post.” Personally, I think that’s kind of creepy.
Facebook users who have “potentially” been impacted by this bug will be notified via an alert on Facebook. That notification will direct them to a Help Center Link where they will be able to see if they’ve used any apps that were part of the bug.
I think Facebook should have made a publicly available list of those apps that everyone could see – even if they weren’t affected by the bug. It would have been more transparent. Facebook’s post does not give any information about how users can learn which of their photos were affected, or by which specific apps, or what those app developers are doing with the photos.
Facebook recommends that users log into any apps with which they have shared their Facebook photos to check which photos the apps have access to. That’s good advice in general. It doesn’t solve the problem, though.