An estimated 6.8 million users were affected in the latest photo leak caused by a bug its app development platform that let apps access the private pictures of users, Facebook has revealed.
Apps are expected to only have access to images posted on a user’s timeline, however a bug let the apps see any images linked to the account. This includes images on Facebook Stories and Facebook Marketplace, as well as those uploaded but not published. Facebook stores the latter for three days before they are deleted, in case the user decides to publish them.
Users are required to give permission for apps to view photos, and only users who gave picture permissions had their images leaked to the apps.
Facebook said the bug was active for 12 days between September 13th and September 25th, during which time third-party apps that had access to a user’s photo gallery were able to also access photos that were not meant to be public:
When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days, so the person has it when they come back to the app to complete their post.
Facebook said at the time that up to 1,500 apps built by 876 developers were impacted, and up to 6.8 million customers. Only apps that Facebook approved to access the photos API and that users authorized to access their photos were affected. Facebook has created a help page that you can access at this link, to see whether you’re one of the 6.8 million people impacted by the bug.