Facebook admits 6 billion users’ private photos accessed by third-party

December 14, 2018

In a Facebook blog, the company shared that a bug may have given third-party apps the go ahead to wrongly obtain photos from up to 6.8 million users.

The social media giant allows third-party apps to ask for user permission to access pictures on said users’ Facebook timeline.

Read more: Tumblr has returned to Apple App Store following adult content ban

The bug of concern may now allow around 1,500 apps to access photos that aren’t on a user’s Facebook timeline. This refers to photos that a user started to post, but ultimately deleted before it was available publicly as the website hangs on to photo drafts.

The bug also may have given app developers access to photos shared on places such as Marketplace and Facebook Stories.

Facebook apologized to users today. “Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” the social media site says. “We will be working with those developers to delete the photos from impacted users.”

When asked about the third-party apps in question, Facebook declined to give names or what said apps may do with the photos.

This isn’t a new phenomenon faced by the company. Facebook had bug issues in mid-November, too.

Facebook claims it fixed a bug that allowed websites to obtain information from a user’s profile, including their “likes” and interests, after security researcher Ron Masas zeroed in on the social media exploit, TechCrunch reports.

Masas, who works for cybersecurity company Imperva, found that search results on Facebook weren’t being properly safeguarded from a type of cyber-attack known as a cross-site request forgery (CSRF). Basically, a CSRF attack can utilize unauthorized commands to grab portions of user data from a logged-in Facebook profile.

It allowed such info to “cross over domains,” he explains. “Essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friend.” That’s right: Just leaving Facebook logged-in on an open tab and visiting a certain website could trigger an attack.

And that malicious site could then mount Facebook searches that might return “yes” or “no” responses. For example, the exploit could see if a user liked a certain page. And it means the bug “exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” Masas notes. But this problem isn’t solely in Facebook’s court.

The bug is known exploit to hackers, but Masas says the type of data the social media giant harbors would be “attractive” to advertising concerns. For its part, Imperva quietly told Facebook about the bug in May. It was fixed a few days later.

“We appreciate this researcher’s report to our bug bounty program,” a spokesperson said in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”