It seems that we can’t even go a few weeks without some new story about a worrisome Facebook bug emerging. Earlier today, the social networking giant revealed that one of their internal teams discovered a photo API bug impacting third-party apps. Specifically, some third-party apps may have had access to a broader set of a user photos than typically allowed, both public and private, for about 12 days in late September.
When it comes to third-party Facebook apps and their access to user photos, the way it works is pretty simple: apps can only access public photos which appear on a given user’s timeline. The bug in question, however, granted access to all sorts of photos, even photos that weren’t fully posted to the site.
“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” Facebook explained on a blog post earlier today. “The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.”
All told, Facebook relays that the bug potentially impacted upwards of 6.8 million users.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers,” Facebook said. “The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.”
Along with an apology, Facebook says that it plans to introduce a new tool for app developers to figure out which users might have been vulnerable to the bug. Additionally, Facebook said that it will alert individual users who may have had their photo collection compromised by the bug over the next few days.
At this point, there is no indication as to which apps in particular had improper access to user photos, nor is there any indication as to how many photos were improperly accessed.