Facebook says a photo API bug exposed photos that users hadn't yet shared to third-party developers.

6 month ago

Facebook announced on Friday that private photos of millions of users had been exposed by a photo API bug.

Facebook said that photos that had yet to be shared could have been accessed by apps that users gave permission to access their Facebook photos. Facebook said that photos that hadn't yet been shared on its platform could be accessed because the platform stores a copy of photos that users do not finish sharing on their profile after attempting to upload.

Facebook said the bug in its photo API affected a 12-day window between Sept. 13 and Sept. 25 and gave access to up to 1,500 apps built by 876 developers. Facebook said the bug did not affect photos that were shared in Messenger conversations and that Facebook became aware of the bug and fixed it on Sept. 25.

a Facebook spokesperson justified the delay to reveal the issue in the following statement:

"We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug. It then took us some time to build a meaningful way to notify people, and get translations done."

As a result of this bug, the company said it believes the photos could have been accessed by 1,500 apps built by 876 developers.

the social network said it will notify people potentially impacted by the bug.

"We're sorry this happened," Facebook said in the post on its developer's blog written by Tomer Bar, an engineering director at the company.