Ending the year on a sour note, Facebook just said it might have mistakenly overshared the photos of nearly 7 million users.
The company discovered a photo API bug, which it believes might have
affected those who used Facebook Login, and then granted permission to third-party apps to access their personal pictures.
“We have fixed the issue but, because of this bug, some
third-party apps may have had access to a broader set of photos than usual,” Tomer Bar, engineering director, Facebook, admits in a new blog post.
The overexposure took place during the
12 days between September 13 and September 25.
When Facebook users give permission for apps to access their photos, it’s only supposed to include those that they’ve shared on their
timeline. However, the bug in question potentially gave developers access to other photos, including those shared on Marketplace and Facebook Stories.
Critically, the bug also impacted photos
that users had uploaded to Facebook, but chosen not to post.
As of Friday, Bar estimated the bug affected up to 6.8 million users, and up to 1,500 apps built by 876 developers.
Early
next week, Bar’s team plans to roll out tools for app developers to help them determine which users were impacted. “We will be working with those developers to delete the photos from
impacted users,” he said.
Of course, this isn’t the only security issue to impact Facebook users this year.
Since first being rocked by the Cambridge Analytica
controversy in March, Facebook has suffered several other privacy mishaps.
In July, Facebook said a bug was to blame for temporarily unblocking some users that had been previously blocked. The
company said that mess-up could have impacted as many as 800,000 users of Messenger and its flagship app.
In October, the company admitted that a hiccup led to the deletion of some
users’ Live videos when they tried to post them to their Story and News Feed.