Facebook exposed private photos from up to 6.8 million users to apps that weren’t supposed to see them.
These apps were authorised to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories, photos from a users timeline, and photos that people uploaded but never posted. The exposure occurred due to a bug between September 12th and September 25th, but Facebook told TechCrunch that it discovered the breach on the 25th so its unclear why Facebook waited until now to speak out about the issue.
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/13626331/48789954_586266551832240_8195718961447305216_n.jpg)
Facebook said the bug was due to an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos.
Facebook apologises for the breach with Tomer Bar, the director of engineering at Facebook saying “we’re sorry this happened”.
