[BreachExchange] Facebook exposed up to 6.8 million users’ private photos to developers in latest leak

Destry Winant destry at riskbasedsecurity.com
Mon Dec 17 08:46:28 EST 2018


https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed

Facebook exposed private photos from up to 6.8 million users to apps
that weren’t supposed to see them, the company said today. These apps
were authorized to see a limited set of users’ photos, but a bug
allowed them to see pictures they weren’t granted access to. These
included photos from people’s stories as well as photos that people
uploaded but never posted (because Facebook saved a copy anyway).

The exposure occurred between September 12th and September 25th.
Facebook toldTechCrunch that it discovered the breach on the 25th; it
isn’t clear why the company waited until now to disclose it. (Perhaps
it’s because the company was dealing with a separate and substantially
larger breach that it also discovered on September 25th.)

Affected users will receive a notification alerting them that their
photos may have been exposed. Facebook also says it’ll be working with
developers to delete copies of photos they weren’t supposed to access.
In total, up to 1,500 apps from 876 different developers may have
inappropriately accessed people’s pictures.

Facebook said the bug had to do with an error related to Facebook
Login and its photos API, which allows developers to access Facebook
photos within their own apps. All of the impacted users had logged
into a third-party app using their Facebook accounts and granted them
some degree of access to view their photos.

“We’re sorry this happened,” writes Tomer Bar, engineering director at
Facebook. The disclosure comes exactly one day after Facebook opened a
pop-up installation in New York to show people how “you can manage
your privacy” on the site.

Facebook has been in hot water again and again this year over data
breaches and exposures, most notably with Cambridge Analytica. In many
cases, the problems haven’t been caused by hackers, but they have
stemmed from issues within Facebook itself. The Cambridge Analytica
breach happened because of Facebook’s lax oversight of developers and
data sharing; today’s issue happened because of another breakdown in
communication between Facebook and developers.

Google has already pledged to shut down Google+ over similar issues.
Twice this year, the service exposed information inappropriately to
developers.


More information about the BreachExchange mailing list