As many as 6.8 million Facebook users may have been affected by a bug in the social network’s photo API (application-programming interface) that gave some third-party apps access to more photos than they were given permission to access.
Facebook said in a blog post that from Sept. 13 through 25, up to 1,500 apps built by 876 developers may have been able to access photos other than the ones people shared on their Timelines. The bug has been fixed.
This issue only affected apps with authorization to access Facebook’s photo API and permission granted by users to access their photos.
Examples of photos that may have been affected include those shared to places other than Timeline, such as ecommerce destination Facebook Marketplace and Facebook Stories, as well as photos that were uploaded to Facebook but not posted.
The social network explained the latter as follows: “For example, if someone uploads a photo to Facebook but doesn’t finish posting it—maybe because they’ve lost reception or walked into a meeting—we store a copy of that photo so the person has it when they come back to the app to complete their post.”
Facebook said it will roll out tools for app developers early next week to enable them to determine whether users of their apps were impacted and to delete photos that should not have been accessed.
People who were impacted will see the alert pictured below, which will direct them to a Help Center page with more information.
And the social network suggested that people log into apps that they have allowed to access their photos and check to see which photos they have access to.