Facebook API bug allowed apps to access unposted photos of up to 6.8 million users

Facebook bug

Facebook has clarified that its team has discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. Though it fixed the bug, some third-party apps might have accessed to a broader set of photos than usual in the period between September 13th to September 25th. 

The bug potentially gave developers access to all photos including those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. Facebook says that around 6.8 million users are affected and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

The company said it will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. It will be working with those developers to delete the photos from impacted users. It will also notify the users potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.