Facebook allows users to upload photos without posting them. Until now everyone believed that this is safe, but it appears that a bug made those photos public. The error appeared back in September, and for two weeks Facebook shared those images.
it appears that other parts of the site, such as Facebook Marketplace were affected as well. In addition to that, this also has an impact on “photos that people uploaded to Facebook but chose not to post”.
Facebook vice-president Guy Rosen explained how this worked:
The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted ‘view as’, a feature that lets people see what their own profile looks like to someone else.
It allowed attackers to steal Facebook access tokens, which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.
Fixes for this bug
Any user who has given permission to third-party apps to access their photos can be a victim of this bug. Therefore, no one else had access to those hidden photos, except for the apps that already received access to public photos through the application programming interface of the company. Facebook will work closely with the developer of those apps in order to fix the problem.
Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.
Nora Reynolds is a major in biology and a minor in Biological Basis of Behavior, writing about science in general. She also likes to try new gadgets and sports about the AI new era.