Facebook’s internal team has identified a bug that allowed app developers see hidden photos of users, the social media giant has confirmed. From September 13 – September 25, the bug gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.
“The bug also impacted photos that people uploaded to Facebook but chose not to post,” said Tomer Bar, a Facebook developer, in a blog post.
For example, if someone uploads a photo to Facebook but hasn’t posted which might be due to lost internet connection, Facebook’s stores a copy of that photo for three days so the person has it when they come back to the app to complete their post.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers,” added Bar.
According to Facebook, only users that had given permission to third-party apps to access their photos are affected by this bug.
“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users,” Bar stated.
In October, the social media giant admitted that hackers broke into nearly 50 million users' accounts by stealing their ‘access tokens’ or digital keys. Attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’ – a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens, which they used to take over peoples’ accounts.
The company has also temporarily turned off the ‘View As’ feature, while a thorough security review is under process. According to Facebook, this attack exploited the complex interaction of multiple issues in code. It stemmed from a change Facebook made to their video uploading feature in July 2017, which impacted ‘View As.’