Facebook has revealed that a photo API bug has affected around 6.8 million people on 1,500 apps connected to Facebook. This vulnerability is due to the permission which the users give for an app to access your photos on Facebook.
This bug was due to the error in a code which was updated in September. The API is expected to allow the third-party app to access photos which are shared on the timeline. But the bug permitted the app developers to have total access to other pictures, such as those uploaded to Facebook Stories or those which you have uploaded but never posted.
Tomer Bar, Facebook’s engineering director reported in a blog post that if someone uploads a photo to Facebook but doesn’t finish posting it due to any inconvenience, a copy of it is stored so the person can complete the post at a later time. However, the issue does not affect photos in Messenger.
The bug stayed for 12 days, between Sept. 13 and Sept. 25. Facebook said that a new tool will be out next week for app developers to determine whether their users were affected by the security flaw.
Facebook found the flaw in September, but they did not notify the public for around three months as they were investigating the issue to find out the number of people who were affected.
This flaw is considered to be Facebook’s latest security fault. The social media giant notified the Irish Data Protection Commission when they figured out the breach was considered reportable under the European Union’s data protection laws, or GDPR.