Facebook Exposed Users’ Private Photos

Millions of Facebook users’ private photos may have been exposed due to a bug, the social network announced Friday. For 12 days in September, as many as 6.8 million people’s private photos were accessible to third-party apps.

A bug in Facebook’s photo software authorized as many as 1,500 apps to access photos that users had not shared on their timelines, such as photos posted to Facebook Stories and photos that users uploaded to Facebook and then decided not to post. The social network said it would contact people affected by the bug.

“We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual,” wrote Tomer Bar, an engineering director at Facebook. Generally, apps have access to the photos people have shared on their timelines. Bar added: “We’re sorry this happened.”

TechCrunch’s Josh Constine reported that Facebook learned about the bug Sept. 25. The apps had access from Sept. 13 to Sept. 25. Constine wrote:

That it keeps photos you partially uploaded but never posted in the first place is creepy, but the fact that these could be exposed to third-party developers is truly unacceptable. And it seems Facebook is so tired of its failings that it couldn’t put forward even a seemingly heartfelt apology is telling.

Engineers at Facebook discovered another security breach on Sept. 25 as well. As many as 50 million accounts, Facebook announced days later, were completely exposed to attackers.

“It is not uncommon for us to receive reports about high or critical bugs from researchers,” Facebook’s security engineering manager, Dan Gurfinkel, told Wired. “The September security incident involved a case of three different bugs interacting with one another. Among other lessons, it served as a reminder that it’s important to get as many eyes as we can to evaluate and test our code.”

“I’m glad we found this and fixed the vulnerability,” Facebook CEO Mark Zuckerberg said at the time, “But it definitely is an issue that this happened in the first place. I think this underscores the attacks that our community and our services face.”

People are losing trust. At BuzzFeed, Charlie Warzel wrote:

That’s two massive vulnerabilities in a matter of months—in the same year as the Cambridge Analytica scandal, which also involved millions of Facebook users. Taken together, screw-ups are mind-boggling in scope, affecting tens of millions of people. They aren’t mere email address or password leaks—though emails were certainly leaked—these are breaches of highly personal information—location histories, search histories, photos. In some cases, the information was improperly shared with political consultants potentially to manipulate voter sentiment.

In April, Facebook said that the data firm Cambridge Analytica accessed the personal information of about 87 million Facebook users. In May, Facebook drew skepticism from privacy advocates when it announced an anti-revenge porn program that required users to submit the nude photos that they did not want disseminated. And in June, Facebook revealed a software bug in which 14 million users may have posted information publicly that they had intended only for smaller groups.