Facebook’s terrible year continues with exposure of 6.8 million users photos

December 17, 2018 |

For Facebook, even more so than Google, 2018 was an annus horribilis, at least on the reputational and branding front.  Wired reports that for Facebook had a bug in September which let third party developers to view photos of 6.8 million Facebook users whether they were shared photos or not.

This of course comes on the back of a report:

  • that Facebook cyber attack has resulted in stolen data from 29 million Facebook accounts.
  • in the Guardian which reports that Facebook as far back as 23012 discussed selling access to data to advertisers.
  • In April Facebook said that personal data of 87 million users was improperly shared with Cambridge analytica.
  • in September Facebook says it has discovered a security breach affecting nearly 50 million users.

The Wired article is grim reading enough, providing:

Friday morning, Facebook disclosed the latest in an ongoing series of privacy and security lapses that have come to define the company in 2018. For nearly two weeks in September, a bug let third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not.

Facebook will eventually alert affected users with a notification, which will send them to a page that details what happened and which apps might have their photos on hand. No need to wait, though; you can head to this page now to see whether you’re one of the unlucky millions. You’re potentially at risk if you use Facebook Login to sign into apps and approved them to access your photos. Up to 1,500 apps, from 876 developers, potentially had access to private pics.

This is not ideal! As Facebook notes in its Friday post for developers, those permissions are supposed to apply to photos that you share to your timeline. Thanks to this bug, developers could also have accessed photos that you shared to other areas of Facebook, including Marketplace and Stories. More alarmingly, they could have accessed any photos that you uploaded to Facebook but chose not to share at all. A small silver lining: Photos shared in Messenger conversations weren’t affected.

Facebook says the bug was introduced on September 13 and that its security team found and fixed it on September 25. If the latter sounds familiar, it’s the same day Facebook discovered that hackers had compromised the accounts of 30 million users. But while the company disclosed that disaster on September 28, it took months to roll out news of its Photos API mess. Which means two things: September 25 was a terrible day to be a Facebook security engineer, and there are legitimate questions over whether Facebook could be in trouble with European regulators.

Europe’s General Data Protection Regulation, which went into effect earlier this year, gives companies 72 hours to notify the authorities of a breach. It’s been well over 72 days since Facebook first spotted the Photos API issue.

That doesn’t necessarily mean the company skirted the rules, though. Facebook argues that it needed that time to investigate whether the incident qualified as a breach under GDPR in the first place, and that it told the appropriate authorities within 72 hours of making that determination. Similarly, Facebook says it took so long to notify affected users because it needed time to identify and contact developers, and to build a “meaningful way” to notify users that they’d failed to protect their data. Given the number of times Facebook has had to do so this year, you’d think they’d have it down by now.

In fairness, the GDPR question isn’t entirely cut-and-dried. Companies get a pass on notifying regulators within 72 hours if the breach “is unlikely to result in a risk to the rights and freedoms,” and they only have to alert individual users to an incident if it “is likely to result in a risk to the rights and freedoms.” The GDPR offers some guidelines about what rises to that level, but it also leaves plenty of room for interpretation. While a hacker gaining access to bank account numbers and unencrypted passwords would certainly qualify, privacy lawyers say that photos exposed through an API to developers seems like legitimately murkier territory.

Meanwhile, Facebook has yet to fully resolve the issue. The company says it will roll out tools for app developers early next week to help them determine which of their users might have been affected, and it will further help with the deletion of any photos that they have inappropriate access to. Facebook also recommends that if you are impacted, you log into any apps you’ve given Facebook photos permissions to double-check what they have on hand. It’s unclear if, beyond that sort of personal audit, Facebook can guarantee that every developer will delete every unauthorized photo.

Bugs happen, even to the most rigorous companies. “We can’t ever expect to get to a point where there are no vulnerabilities left,” says Alex Rice, CTO of the bug bounty development organization HackerOne. “And there’s a lot of anger and finger pointing and frustration about how do we still have security bugs and privacy bugs, and how are these things still happening?” And how, most importantly, does a company respond to the issues when they arise? For Facebook in 2018, the answer has been a decidedly mixed bag.

This latest incident puts a dour endnote (hopefully!) on an already terrible year for the company. Impossible as it is to believe, the Cambridge Analytica scandal kicked off just nine months ago. Since then, hardly a month has gone by without some new revelation about how Facebook mishandled user data or failed to stop the spread of fake news or targeted George Soros for opposition research.

The Photos API mishap ranks low on that list in both severity and scope. But perhaps that’s the most damning news for Facebook of all: It exposed nearly 7 million people’s private photos, and it’s barely a blip on its year in review.

Leave a Reply