Facebook says bug let apps access millions of users’ private photos

The Facebook logo appears on screens at the Nasdaq MarketSite, in New York's Times Square.
(Richard Drew / Associated Press)
Washington Post

Facebook Inc. revealed Friday that a major software bug may have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn’t post publicly.

The mishap, which occurred over a 12-day period in September, adds to Facebook’s mounting privacy headaches after a series of incidents earlier this year in which it failed to fully safeguard the personal data of its users. It has already prompted European regulators to investigate — and brought fresh calls for the company to be fined.

In general, Facebook allows apps by third-party developers to obtain users’ permission and access photos shared on their timeline. Because of the bug, though, roughly 1,500 apps could access “a broader set of photos than usual,” Facebook said in a blog post. That includes photos that a user may have started to post but abandoned before actually publishing, because Facebook keeps a copy of the draft in case the user might want to finish uploading it later.


The software bug also may have allowed developers to access photos they weren’t supposed to on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours.

Friday’s revelation quick drew sharp rebukes from privacy advocates. “It’s stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “It’s like a provider sending draft emails.”

In response, Facebook apologized to users. “Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” the company said. “We will be working with those developers to delete the photos from impacted users.”

Facebook declined to detail the exact apps that may have obtained these photos or what they may have done with them.

The photo mishap could embolden those who believe Facebook and its peers in Silicon Valley should be regulated for the data they collect about their users. It could also result in fines and other penalties for the company, which is already under investigation in the United States for mishandling users’ data. That investigation, initiated by the Federal Trade Commission, is the result of Facebook’s entanglement with Cambridge Analytica, a political consultancy that improperly accessed data on 87 million users. A spokesman for the FTC declined to comment.

Rotenberg said the new incident offered “more evidence” that Facebook has run afoul of the 2011 agreement it brokered with the FTC that required the tech giant to improve its privacy practices.


“You can call this a bug, or you can call it what it is: yet another instance of Facebook failing to protect its users’ privacy and running afoul of its 2011 consent decree,” Sen. Ed Markey (D-Mass.) echoed in a tweet Friday.

In Europe, meanwhile, Facebook could face additional fines under the region’s tough new rules governing data-collection practices. Under the so-called General Data Protection Regulation, or GDPR, companies have to inform policymakers within 72 hours of discovering a breach. Facebook said Friday it found and fixed the bug Sept. 22, and it notified regulators in late November after an internal investigation to determine the scope of the incident.

Privacy regulators in Ireland — which oversee Facebook because of the location of the company’s European headquarters — said Friday that they had received “a number of breach notifications from Facebook” in recent months. “With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR,” a spokesman said.

Silicon Valley is deeply divided over the issue of bug disclosures. Hackers exploit software bugs and vulnerabilities to steal or gain access to data. But bugs are routinely discovered and patched by tech companies — often without evidence that any data was actually taken.

Many security experts believe that companies should not have to disclose the mere existence of a bug if there is no evidence that data was compromised. The issue came to a head earlier this year, when reports revealed a security vulnerability in the Google Plus social network. Google came under fire for failing to disclose the bug, but many experts felt that the disclosure should not have been required since there wasn’t clear evidence of stolen data.

Several of Facebook’s recent privacy lapses have involved third-party apps. In the case of Cambridge Analytica, the firm previously harnessed profile information on Facebook users in 2015 through a quiz app developed by a researcher. In response to that scandal, Facebook initiated a broad review of the games and other third-party apps made available to its users on the site. In May, it suspended about 200 of them, declining at the time to describe exactly why.


Romm writes for the Washington Post.