(The AEGIS Alliance) – Another software bug was disclosed by Facebook on Friday. It may have exposed private photos of users to app developers without them having permission. The bug was active for 12 days back in September. It may have affects as many as 6.8 million users.
According to Facebook the bug had an impact on hundreds of apps that allow users to create accounts and sign in using their login information. Hundreds of developers were able to use the software bug that gave them a broader range of Facebook photos that they would usually be allowed to access.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” Facebook said in a blog post. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”
It includes photos from draft posts, which are photos that had been uploaded to Facebook but weren’t actually shared. Photos in messenger were not impacted. Now we wonder if it affected photos shared to albums or private groups.
It has been quite the embarrassing year for Facebook over concerns of user privacy. Not to mention Cambridge Analytica that exposed Facebook’s weak privacy policies from years past. Facebook has seen many other privacy mishaps, many over the last six months.
There had been a bug that “unblocked” people accidentally that users had blocked. There was a bug which changed share settings of users so that their information was shared publicly without them realizing it. Hackers also had stolen the private data of nearly 30 million users just before the midterm elections.
This latest photo sharing bug is yet another injury for Facebook. Facebook has been dealing with the perception that it isn’t taking user privacy seriously. Why would people trust Facebook with their personal information?
It isn’t yet clear if Facebook will be punished by regulators for its most recent blunder, since Facebook discovered the bug back in September, around three months ago. New data laws in Europe require companies to report data breaches to authorities within 72 hours, and to users “without undue delay.” They are able to be fined for violating the laws.
Facebook didn’t report the bug to the Office of Data Protection Commissioner until November 22.
“as soon as we established it was considered a reportable breach under GDPR,” a spokesperson said. “We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour time-frame.”
Obviously users were not told at the same time. “We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug,” a Facebook spokesperson stated. “It then took us some time to build a meaningful way to notify people, and get translations done.”
Meanwhile, Facebook will start alerting users who had been affected.
Kyle James Lee – The AEGIS Alliance – This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.