Facebook waited months before admitting privacy bug exposed millions of users’ unposted photos

It took almost three months for Facebook to come clean that it had put its users privacy at risk.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Facebook waited months before admitting privacy bug exposed millions of users' unposted photos

At the end of last week Facebook revealed that an API bug had given developers of third-party apps access to the photos of millions of users.

A flaw in Facebook’s code had allowed apps already given permission to access users’ timeline photos to also hoover up images in Facebook Stories, Marketplace photos, and even those photos that had been uploaded to Facebook but never shared.

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.

Sign up to our free newsletter.
Security news, advice, and tips.

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

Facebook says “We’re sorry this happened”, and that it is proving app developers with tools to see if they were impacted, in order to help them delete any photographs to which they should not have had access.

According to the social media giant the flaw existed for 12 days between September 13-25 2018.

Which leads to an obvious next question – how come Facebook only went public about the problem on December 14th? It found out about the problem on September 25th. That means it took almost three months for Facebook to come clean that it had put its users privacy at risk.

You would think after Facebook’s troubled year it would show a little more urgency in admitting it had a problem, and reassuring users it was on top of the problem.

Or maybe that’s the problem. Maybe Facebook is having such a terrible year that it’s choosing to make its more embarrassing admissions at times that are most likely to reduce the attention of the media.

It’s not the first time I’ve noticed Facebook admitting a privacy gaffe on a Friday…

Oh, and if you want more fuel for this theory consider this. Facebook discovered another serious security hole on September 25th (announced on September 28th) that left tens of millions of accounts exposed to attackers.

Did Facebook deliberately keep schtum about the photo privacy bug until now so as not to make September’s announcement even worse?

I quit Facebook earlier this year. If you’re finding it hard to imagine doing the same, why not listen to this “Smashing Security” podcast we put together describing the process of quitting Facebook:

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.