In yet another blunder, Facebook announced today that a bug in one of their APIs allowed third-party apps to access the private images of up to 6.8 million users. From September 13 to September 25, over 1,500 apps had access to photos that users never authorized.
When users provide an application access to their images, normally this permission is only extended to images that the user has published to their timeline. The bug that was revealed today also allowed third-party applications access to photos that were shared on Facebook Marketplace or Facebook Stories. If that wasn’t already a big enough problem, the issue also exposed images that users never even published. If the upload process of an image is interrupted for any reason, Facebook stores a copy of the image for 3 days, hoping to allow users to jump right back where they left off. During the duration of this bug, apps had access to those images.
In the company’s blog post, Facebook apologized for the bug, and promised forthcoming tools for application developers that will help them determine which of their users were impacted by the bug. Facebook says that they intend to work with these developers to ensure that any relevant images are deleted. The company also plans to contact users directly that they believe were impacted by this issue.