Facebook today announced yet another security incident affecting millions of its customers. This time, the company said that a bug in one of its APIs exposed the private photos of nearly 6.8 million users.
According to a press release from the social media giant (via TechCrunch), a bug in Facebook’s platform has enabled 1,500 third-party apps built by 876 developers to access 6.8 million users’ unposted “draft” photos.
The security flaw gave apps connected to Facebook the ability to see photos that users had uploaded to the social network, but not posted on the timeline. Users often do not end up posting photos that they had uploaded to Facebook, for example if they decided they were unhappy with the photo, if it was uploaded by mistake, or if they lost an internet connection before posting.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” the company said. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.”
Facebook claims the bug existed for 12 days, between September 13-25, and said that it is planning on rolling out a tool next week that will allow developers to determine whether their users were affected by the security flaw. Facebook will also alert the millions of people affected by the flaw through a notification, the company said.
It’s the latest in a series of privacy concerns for the social media site. Facebook (and Google) have been accused of manipulating users to give up their data. And the company is still recovering from the Cambridge Analytica scandal, of course.