The bug gave the external operators far greater access to Facebook users’ images than the tech firm normally allows. Permission usually only extends to the public photos that people share on their timeline.
However, due to the API glitch developers were given access to other images belonging to users, including ones on Facebook stories, Marketplace and even photos that had been uploaded onto the social media site but that users had decided not to publish.
The API malfunction existed for nearly two weeks from September 13 to 25 this year. Facebook developer Tomer Bar said in a blog post on Friday that the only apps that had access to the hidden photos were those to which users had already granted access to their public images.
Bar said Facebook “currently” believes that up to 6.8 million users and up to 1,500 apps built by 876 developers were affected by the problem.
“We’re sorry this happened,” he said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
This latest error is actually relatively minor, compared to recent Facebook data breaches. The Silicon Valley behemoth has admitted that hackers had accessed the data of 29 million of its users in September.
Approximately 15 million of the victims had their name and contact details disclosed. While the hackers were able to see personal information, including education and employment background and location check-ins, of a further 14 million.
The attack caused a plunge in Facebook’s share price and sparked an FBI investigation into the breach.
“The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else,” Facebook vice president, Guy Rosen, explained.
It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Our IP Address: