Please delete your files: Facebook exposes private photos of millions of users… Again

Share this…

1 500 applications, of 876 different developers, accessed photos that users stored as a draft

Facebook has just revealed a new vulnerability in its platform, which allowed third-party applications to access unpublished photos of about 6.8 million users, report experts in digital forensics from the International Institute of Cyber Security.

If a user uploads a photo to their Facebook profile without completing the posting process, the file is saved as a draft in the social network database. This error granted multiple third-party applications access to the draft database.

The company claims that it discovered the flaw in a photo Application Program Interface (API) that persisted on the platform for almost two weeks, between September 13 and 25. “The security flaw has already been corrected. Some third-party applications accessed a set of photos beyond the permissions granted,” Facebook said in its statement.

By default, Facebook only grants third-party applications permission to access the photos published on the user’s timeline. However, according to experts in digital forensics, this flaw could have caused some developers to access some other publications, such as those made in the Marketplace section or in Facebook stories. “The error also affected the photos that people uploaded to Facebook, but in the end they were not published”, says Tomer Bar, director of social network engineering.

According to Facebook estimates, about 6.8 million users would have been affected; the company is in the process of notifying potentially affected users.

“Over the next few days we will begin with the implementation of a series of tools for the external developers, allowing them to determine which users might have been affected by this flaw”, Facebook said. “We will work together with developers to eliminate these compromised files”.

This year has been plagued by errors and accusations against Facebook. Last May, experts in digital forensics revealed a bug in Facebook’s software that changed the privacy settings of millions of users’ posts, leaving any post available to the general public.

Subsequently, the social network stated that it was the victim of a group of hackers who exploited a flaw in the “View as” function, thus about 50 million of access tokens were exposed. As if it were not enough, it was verified the responsibility of Facebook in the scandal of the consultant Cambridge Analytica, where the information of millions of users of Facebook was leaked for electoral purposes.