Facebook, which is finishing up a year marred by user data scandals, says a “bug” allowed third-party apps to access up to 6.8 million users’ unposted photos for 12 days in September.
From September 13 to September 25, a bug in the photo interface gave apps access to photos of users not just on their timelines but in other corners of Facebook. It also opened up images that users had uploaded to Facebook but not actually posted. Up to 1,500 apps built by 876 developers were affected, the company said.
“We’re sorry this happened,” Facebook said in a blog post mostly devoted to detailing what happened and the tools being put in place to prevent a recurrence.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,” the company said. “The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.”
Facebook founder and CEO Mark Zuckerberg as well as his top lieutenant, COO Sheryl Sandberg, have taken wave after wave of criticism this year over the social network’s role in everything from election fraud to data misuse to genocide. Both executives have testified on Capitol Hill in recent months. The company’s involvement with now-defunct data firm Cambridge Analytica and far-right activist groups has been detailed this year in damning reports by the Guardian, The New York Times and Frontline, among other media outlets.