Facebook

A new bug was discovered in Facebook’s photo API had exposed 6.8 million user photo’s to 1,500 third-party apps were set as private or photo’s that were left in the draft by users which were never shared.

A few hours ago, Facebook published an announcement on their developer’s blog about the photo API bug being discovered in its photo sharing system on 1,500 third-party apps that gave 876 developers access to private photos that were never shared to the public on their timeline, which included photos that were uploaded to Facebook Marketplace and Facebook Stories.

Facebook made the following statement regarding the photo API bug in their system:

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,”

The bug remained unpatched for 12 days, 13th September and 25th September after Facebook discovered the leak on 25th September. According to the following statement made by Facebook, the photo’s that exposed to the bug were those only who had approved the third-party app’s on their accounts.

“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos,” Facebook said.

Facebook has sent out a notification to all 6.5 million users infected users on their timeline regarding their photo’s may have been exposed, along with a link to Facebook’s Help Center page to read more about the issue.

Facebook also recommended people to login into those apps which they shared their Facebook photo’s to know which of their photos they have given access to.

Facebook Photo API Bug

That being said, Facebook claims to be working on a special tool for developers that will allow them to identify users that were infected by the API bug.