Stories
Slash Boxes
Comments

SoylentNews is people

Facebook Bug Let Apps Access Unposted Photos for Millions of Users

posted by Fnord666 on Thursday December 20 2018, @12:31AM   Printer-friendly
from the it's-not-a-bug-it's-a-feature dept.

MrPlow writes:

Submitted via IRC for SoyCow1984

Facebook has disclosed yet another privacy flub. This time around, it says a bug in the Photo API led to third-party apps being able to access not only timeline photos (which users had permitted them to do), but Stories, Marketplace images and photos people uploaded to Facebook but never actually shared.

"For example, if someone uploads a photo to Facebook but doesn't finish posting it -- maybe because they've lost reception or walked into a meeting -- we store a copy of that photo so the person has it when they come back to the app to complete their post," Engineering Director Tomer Bar explained in a post.

The bug affected as many as 6.8 million people across up to 1,500 apps, Facebook says, and it was active for 12 days before it was detected and fixed on September 25th. Companies are supposed to disclose data breaches within 72 hours under EU General Data Protection Regulation rules, though Facebook told TechCrunch it needed some time to investigate the bug's impact and prepare a notice for affected users in various languages. Still, the delay could land Facebook in hot water with EU regulators.

Source: https://www.engadget.com/2018/12/14/facebook-privacy-bug-photos-timeline-stories-marketplace/

Related: Facebook Keeps Unposted Videos

Original Submission

 
This discussion has been archived. No new comments can be posted.
Facebook Bug Let Apps Access Unposted Photos for Millions of Users | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by Virindi on Thursday December 20 2018, @12:47AM (2 children)

    by Virindi (3484) on Thursday December 20 2018, @12:47AM (#776615)

    Does 'data breach' include simply finding a bug, without evidence that someone has used it to steal data? That would seem unlikely since it might even discourage developers from looking for bugs which might be hard to exploit.

    So it isn't necessarily a given that there was some violation of EU regulations here.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 3, Interesting) by rigrig on Thursday December 20 2018, @01:53AM (1 child)

    by rigrig (5129) Subscriber Badge <soylentnews@tubul.net> on Thursday December 20 2018, @01:53AM (#776626) Homepage

    "Your data was exposed, and we don't know who took advantage of it"
    I'd say that classifies as a breech, and if it was my data I'd want to know about it.
    Which is the whole point of the 72-hour deadline: Facebook had three days to figure out how bad this was, after which they were required to at least inform people that their photos might have been visible. Two months seems a bit long to make a list of apps and translate a message.

    it might even discourage developers from looking for bugs which might be hard to exploit.

    That only works until the first time someone does manage to exploit a bug you decided not to investigate.

    --
    No one remembers the singer.

    • (Score: 2) by Virindi on Thursday December 20 2018, @08:08PM

      by Virindi (3484) on Thursday December 20 2018, @08:08PM (#776950)

      But then, wouldn't you have to make such a notification basically anytime you ran security updates on a server which contained a fix for an exploit? That happens constantly.