Facebook on Friday disclosed a bug in its platform that it said enabled third-party apps to access unpublished photos of 6.8 million users.
Facebook stores copies of photo drafts, so if someone uploads the photo but doesn’t finish posting it, the photo will still be stored in the platform’s database. The bug gave third-party apps access to these drafted photos.
The social-media company said that it discovered the glitch in a photo application program interface (API) that plagued the platform for 12 days, between Sept. 13 to Sept 25. The bug, which has since been fixed, gave some third-party apps “access to a broader set of photos than usual,” Facebook said.
While Facebook usually only grants apps with permissions access to photos that people share on their timeline, “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” Tomer Bar, engineering director at Facebook, said in a post Friday. “The bug also impacted photos that people uploaded to Facebook but chose not to post.”
Facebook said that up to 6.8 million users are affected, as well as up to 1,500 apps built by 876 developers. The company said it will alert potentially impacted users.
“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug,” Facebook said. “We will be working with those developers to delete the photos from impacted users.”
Facebook has found itself embroiled in an array of security incidents this year – with this one only the latest.