A bug in a Facebook photo API, another scandal in a string of privacy violations for the social media company, exposed photos of as many as 6.8 million users who had granted permission to third-party apps to access their photos, including those that they hadn’t yet shared to Facebook.
Noting the issue had been fixed, Facebook Engineering Director Tomer Bar, in an alert to developers, said, “some third-party apps may have had access to a broader set of photos than usual” during a 12-day period, September 13 to September 25, 2018.
Instead of granting the app access to photos shared on users’ timelines as is typical, “the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. “The bug also impacted photos that people uploaded to Facebook but chose not to post.” Facebook, he says, stores photos for three days after a user creates a post but does not publish it.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers,” Bar said, noting the bug only affected apps that “Facebook approved to access the photos API and that individuals had authorized to access their photos.”
“This particular bug was in Facebook’s application programming interfaces, or APIs, which can provide a direct gateway to sensitive customer info without checking who is accessing the data,” said Dvir Shapira, director of partners at Imperva.
Pointing to a recent API security problem in Google+, he explained, “APIs are particularly vulnerable to third-party application security coding errors” and that exposures and breaches likely will rise in 2019. “Though the scale of this specific API issue is minuscule to that of Google+, the amount of personal information Facebook holds still makes it a significant concern,” he added, citing a recent Imperva survey that found “on average companies manage 363 different APIs, and that 69 percent of organizations are exposing APIs to the public and their partners.”
There does seem to be a glimmer of hope, though. “The good news is that this trend of recent data breaches is hopefully a sign that businesses are taking security more seriously, reviewing their applications and software more closely, and most importantly putting a premium on improving API security and protecting our data,” Shapira said.
If developers had created a threat model that included privacy breaches, “a constraint would be immediately obvious and thus become a core part of all unit and integration tests,” said Andrew van der Stock, senior principal consultant at Synopsis.
“This defect should never have been pushed into production, as it should have broken the build,” said van der Stock. “It is likely that a change was made to the API to allow the capture of draft images, but no constraints placed on the access control for these draft images.”