Bug in the Image API allowed developers to access user images, according to Facebook.
Here’s yet another event of information leakage on Facebook, and this time about 7 million users were affected. This is a bug that existed in the Image API and was open between September 13 and September 25. The bug was present in 1500 third-party applications developed by 876 developers.
The bug’s severity is that it allowed users to steal user images, but it wasn’t only public images. Non-public images and personal images of users were exposed to theft.
In addition, if users tried to upload a picture but did not complete the process, Facebook actually kept the picture in their database and these images were exposed in the bug.
A developer named Tomer Bar from Facebook published an explanation for the bug:
When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post
Facebook once again fails at keeping user’s personal information personal. It is interesting to see whether this time users will begin to leave the social network that has recently been too involved in cases where the privacy of its users leaks out.