Facebook admits bug allowed apps to determine hidden photos

A Facebook bug let app developers see photos users had uploaded but never posted, the social media has disclosed.

For 2 weeks in September, a miscalculation in the manner Facebook shares photos with organizations meant that apps often but not only photos users had posted for their newsfeed, but in addition pictures in other areas on the site C on Facebook Stories or Facebook’s Marketplace, by way of example.

The bug also “impacted photos that people uploaded to Facebook but chose to not post”, a Facebook developer, Tomer Bar, said in a statement on Friday.

Facebook’s privacy problems: a roundup

Discover more

Importantly, truly the only applications which had access to the hidden photos were the criminals to which users had already granted entry to each of their public photos, over the company’s API (application programming interface), Bar said.

“Currently, we know this can have affected as much as 6.8 million users and as much as 1,500 apps built by 876 developers.”

Users affected are the who had given permission to third-party apps to view their photos via the Facebook login function. There is absolutely no evidence that your bug led to any large-scale extraction of photos within the site.

“We’re sorry this happened,” Bar added. “Early monday you will find rolling out tools for app developers that these people to figure out which people utilizing their app could be suffering from this bug. As well as working with those developers to delete the photos from impacted users.”

The error fairly minor given Facebook’s scale. In September, almost 5x countless accounts were affected by a knowledge breach during which hackers accessed personal data including name, relationship status, search activity and recent location check-ins.

Guy Rosen, a Facebook vice-president, said at the moment: “The vulnerability was the result associated with a complex interaction of three distinct software bugs also it impacted ‘view as’, an element that lets people what their own personal profile appears to an individual else.

“It allowed attackers to steal Facebook access tokens, that could then use to use over people’s accounts. Access tokens will be the equal to digital keys that keep people logged within Facebook in order that they don’t have to re-enter their password if he or she utilize the app.”