【Facebook漏洞暴露680萬用戶的私人照片】近日,Facebook宣布了另一起影響其數百萬客戶的安全事件,其1,500個應用程序能夠訪問多達680萬用戶的非公開照片。其開發人員Tomer Bar表示,該漏洞會讓開發人員訪問其他照片,例如在Marketplace或Facebook Stories上共享的照片,此外還會影響人們上傳到Facebook但選擇不發布的照片??。

Facebook bug exposed private photos of 6.8 million users

Up to 1,500 apps built by 876 developers could have had accessed the private photos of 6.8 million users.

Image: Facebook

Facebook announced today another security incident affecting millions of its customers. This time, the company said that a bug in one of its APIs exposed the private photos of nearly 6.8 million users.

Facebook blamed this new leak on a Photo API bug that was present in its backend code between September 13 to September 25, 2018.

The company said that during that interval the bug allowed Facebook third-party apps to access more than just the user's public photos. Tomer Bar, a Facebook developer, provided the following?explanation?about the Photo API bug leak:

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post.

Bar said that a Facebook investigation revealed that 1,500 apps built by 876 developers might have been able to access the non-public photos of up to 6.8 million users.

It is unclear if any of these apps abused the bug to actually access and download users' private and non-posted photos.

Facebook said it would start notifying affected users. These include users who installed any of the 1,500 apps and gave the app permission to access their photos. The notification, displayed above, will list what apps users had installed, allowing users to uninstall them if they wished to. Users can also visit a?dedicated web page?to found out if they were affected.

Earlier this year, Facebook announced that an unknown threat actor had used a combination of three bugs to download personal data?from over 50 million users, a number it later?downgraded to 30 million.

Facebook is also the third major tech company to announce a major bug in one of its APIs. Twitter announced a?similar API issue in September, and Google announced two API issues, one in October (500,000 users affected) and another one in December (52.5 million users affected).


Comments are closed.