Up to 6.8 million users’ private photos exposed to developers in latest leak
It seems for Facebook that 2018 is the year of saying ‘We’re sorry’ again and again as it announces breach after breach. The last one we knew about was a breach revealed on September 25, 2018 where 30-50 million users were impacted. That was the most significant breach that day but as it turns out, it wasn’t the only breach discovered that day.
Though it didn’t reveal it right away, Facebook had discovered a second compromise on September 25 that exposed photos of 6.8 users to developers. The exposure occurred from September 12 – 25 through third party apps and included photos that hadn’t yet been made public by the users. Normally, a user gives an app permission to access their photos and the app is only able to see images in their timeline. But the bug here gave apps access beyond that, including photos that were still private, as well as access to Marketplace and Facebook Stories.
If you’re a Facebook user, you’ll receive a notification from Facebook the next time you log in. it will look like the notice posted here. If you don’t see such a notice, you weren’t affected. Even if your photos were exposed, there’s no action for you to take at this point to mitigate the impact. You might want to review your privacy settings to make sure they are set where you want them to be.
Facebook has said it’s working with the developers who had unauthorized access to the photos to ensure they delete them. As many as 1,500 apps from 876 developers may have been involved in the exposure.
Perhaps Facebook felt it had its hands full with the first breach discovered that September 25th day. But for whatever reason, the public likely isn’t satisfied that they opted not to reveal this second breach of personal photos for several months. Not only does it bring further smudges to Facebook’s already tarnished reputation, hiding data breaches from users is likely to bring steeper fines from regulations such as the GDPR, in effect since May 25 of 2018.
The bug that opened the access was due to an error in the Facebook Login and photos API. Normal permissions were exceeded (violated) and given to developers who logged into other apps using their Facebook account.
This breach adds another to the string of embarrassing data compromises Facebook has been guilty of this year. The most memorable is the one involving Cambridge Analytica, fully the fault of Facebook’s poor management of its developers and how data is shared. In fact, all of these significant data breaches have not been the doing of hackers – the fault lies with Facebook in every case.
Google+ has also experienced similar problems that have compromised its users privacy, leading to the planned closer of the G+ platform this year.
We’ve all heard Facebook apologize again and again and re-pledge its commitment to protecting user privacy. However we have yet to see those words become reality, both in ensuring proper code and revealing compromises in a timely manner. Delayed reveals makes one wonder if there are even more data breaches that they haven’t told us about yet.
The irony continues with the timing of this latest disclosure coming just one day after Facebook announced the installation of a privacy pop-up in New York, designed to give users the means to better manage privacy on the site. So far, users for the most part have done their part. It’s long past time that Facebook step up and ensure no more bugs or breaches compromise their users’ data.
ICO issues maximum £500,000 fine to Facebook for failing to protect users’ personal information
Facebook breach could have impacted third-party apps; Is huge GDPR fine on the horizon?
Sources:
1. https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed
2. https://tech.co/news/facebook-data-breach-exposes-user-photos-2018-12