[BreachExchange] Facebook reveals another privacy breach, this time involving developers
Destry Winant
destry at riskbasedsecurity.com
Thu Nov 7 09:45:18 EST 2019
https://www.zdnet.com/article/facebook-reveals-another-data-breach-this-time-involving-developers/
Facebook has quietly revealed another privacy breach involving
approximately 100 developers.
On Tuesday, Konstantinos Papamiltiadis, Facebook's Director of
Platform Partnerships said in a blog post that the names and profile
pictures of users connected to Groups and the system's API were
accessible.
Before April 2018, group administrators could authorize an app for a
group they managed, giving the application developer access to this
information.
Despite restricting information access to just the group's name, the
number of users, and post content — unless users opted-in to share
their name and profile picture — in April last year, Facebook says
that some apps retained access to this additional data until recently.
"As part of our ongoing review, we recently found that some apps
retained access to group member information, like names and profile
pictures in connection with group activity, from the Groups API, for
longer than we intended," Papamiltiadis said. "We have since removed
their access."
In total, roughly 100 developers may have accessed this information.
The tech giant knows of at least 11 developers that have accessed data
they should not have been able to tap into within the last 60 days.
The social media giant is now reaching out to developers.
Papamiltiadis says that there is "no evidence" of abuse, but Facebook
will be asking them to delete any group member data the developers may
have harvested. Audits will also take place to make sure developers
comply.
Facebook says that the apps involved were "primarily" related to
social media management and video streaming software.
"We aim to maintain a high standard of security on our platform and to
treat our developers fairly," the executive added. "As we continue to
work through this process we expect to find more examples of where we
can improve, either through our products or changing how data is
accessed."
In July this year, Facebook settled with the US Federal Trade
Commission (FTC) in an agreement worth $5 billion to lay to rest
allegations of user privacy failures in the wake of Cambridge
Analytica.
As part of the deal, Facebook agreed to conduct a privacy review of
every product, service, and practice before implementation, and
compliance officers had to be appointed to ensure the social network
is meeting the FTC's standards.
In related news, back in October, Facebook wiped out fake networks
originating from Russia and Iran designed to spread political content
through fraudulent accounts and pages.
Facebook has also promised to tackle the threat of 2020 US election
fraud on its network.
More information about the BreachExchange
mailing list