Bug in Facebook’s photos API exposed photos of up to 6.8m users
17 December 2018
A recently-discovered bug in a Facebook photo API exposed personal photos of up to 6.8 million Facebook users to up to 1,500 third-party apps, including photos that users uploaded to Facebook but chose not to share.
The apps that had access to photos of millions of users between September 13 and September 25 were authorised by Facebook to access the photos API and had also obtained prior approval from users to access photos that had been shared on their timeline.
However, thanks to the bug, developers of such third-party apps gained access not only photos that people shared on their timeline, but also to those shared on Marketplace or Facebook Stories and also to photos that people uploaded to Facebook but chose not to post.
Facebook apologises for violating the privacy of millions
Photos that are uploaded to Facebook but not shared by users on their timeline are stored by Facebook for three days so that such users can share the already-uploaded photos on their timeline. Third-party apps gaining access to yet-to-be-shared photos of up to 6.8 million Facebook users could have turned out to be a major privacy nightmare.
“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users,” said Tomer Bar, an engineering director at Facebook in a blog post.
“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug. We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” he added.
Facebook’s admission arrived shortly after Google revealed that a freshly-introduced bug in a Google+ API exposed personal information of up to 52.5 million users to app developers and third parties. Information exposed by the bug included names, dates of birth, gender and email addresses and could be viewed by apps and third parties even when set to not-public.
Security specialists and developers must work together
“The latest Facebook API bug is indicative of the necessity for application security specialists and developers need to work together. In the OWASP Application Security Verification Standard, we ask that developers test for these sorts of access control failures as a matter of course,” said Andrew van der Stock, senior principal consultant at Synopsys.
“If during development, developers had developed a threat model that included privacy breaches, a constraint would be immediately obvious and thus become a core part of all unit and integration tests. This defect should never have been pushed into production, as it should have broken the build.
“It is likely that a change was made to the API to allow the capture of draft images, but no constraints placed on the access control for these draft images. A simple threat model would have discovered this flaw before any code was written. Alternatively, simply implementing “deny by default” access control principle would have prevented this flaw.
“Possibly the developers might have been unaware of this basic principle, as it’s typically not taught in many computer science degrees. Both of these basic activities indicate that developers and security folks must work together during the design and implementation of the API, rather than after it was released,” he added.