Home > Tech

Facebook bug gave developers access to photos you never meant to share

That's a little too "connected."
By Rachel Kraus  on 
Share on Facebook Share on Twitter Share on Flipboard
Facebook bug gave developers access to photos you never meant to share
It's a Facebook bug's life. Credit: Thomas Trutschel/Photothek via Getty Images

It's a Friday, people, which means there's more bad news from Facebook.

Facebook disclosed a data breach on Friday that affected 6.8 million users. The trouble once again came from the connectivity of third party apps. Facebook says it is "sorry this happened."

SEE ALSO: Facebook fined £500K for 'serious breaches' of data protection law

From September 13-25 of this year, developers had access to Facebook users' photos that they never had permission to see. Typically, apps should only be able to access photos in users' timelines. But while the bug was active, apps had access to photos in people's stories and photos they'd uploaded to Marketplace.

Perhaps most troubling, apps could also access photos that users may have uploaded to Facebook, but chose to never post. This means that Facebook actually stores photos that you uploaded and then thought, "hmm, better not," for an unspecified amount of time. Here's how Facebook explains it:

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post.

This photo breach may seem like small potatoes in comparison to the 50 million person attack in September in which hackers exploited a vulnerability to steal the personal information of 29 million people. Giving access to photos you never meant to share is troubling, but perhaps not as damning as getting your contact information and a host of other information pinched by potential identity thieves.

The timing is what's tricky here. Facebook disclosed the 50-million user data breach on September 25 — the same day it became aware of the photo bug. Under the GDPR, Facebook has 72 hours to notify users of data compromises. So why did Facebook wait nearly three months to tell us about this joyous invasion of our privacy?

Facebook plans to notify affected users with an "alert." That will send them to the Help Center where they can see which apps may have had access to their "other photos." There is no information about revoking access — once the unshared photo cat is out of the bag, it's apparently out.

Here's a mock up of the alert:

Mashable Image
Facebook will notify users of a photo bug. Credit: Facebook

Mashable has reached out to Facebook to learn more about the timing of the incident, and whether there is any connection between the photo bug and the personal information breach. We're also asking about how long Facebook stores the photos you've chosen not to share, and whether there's a way to access and delete them. We'll update this story when and if we hear more.

Featured Video For You
Facebook's data breach and what it means for you — Technically Speaking

Topics Cybersecurity Facebook Social Media

Mashable Image
Rachel Kraus

Rachel Kraus is a Mashable Tech Reporter specializing in health and wellness. She is an LA native, NYU j-school graduate, and writes cultural commentary across the internetz.

Recommended For You
Save $15 when you spend $100 on a Lyft gift card at Amazon
By Leah Stodart
Two people riding in back seat of car and laughing
Tesla might launch a voice assistant soon
By Stan Schroeder
Tesla Model 3 interior
Tesla Model 3 Performance is here. Here are 5 things that make it great, and 3 drawbacks.
By Stan Schroeder
Tesla M3P
The case for Tesla without Musk
By Chris Taylor
Elon Musk looking grim in black and white.
Mercedes-Benz beats Tesla to selling Level 3 autonomous cars in the U.S.
By Stan Schroeder
Mercedes-Benz EQS
Trending on Mashable
NYT Connections today: See hints and answers for May 12
By Mashable Team
A phone displaying the New York Times game 'Connections.'
'Wordle' today: Here's the answer hints for May 12
By Mashable Team
a phone displaying Wordle
NYT Connections today: See hints and answers for May 11
By Mashable Team
A phone displaying the New York Times game 'Connections.'
An aurora will light up in unusual places as solar storm rages
By Elisha Sauers
Indiana seeing an aurora borealis
NYT's The Mini crossword answers for May 12
By Mashable Team
Closeup view of crossword puzzle clues
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!