Facebook bug let apps access unposted photos for millions of users

Facebook has disclosed yet another privacy flub. This time around, it says a bug in the Photo API led to third-party apps being able to access not only timeline photos (which users had permitted them to do), but Stories, Marketplace images and photos people uploaded to Facebook but never actually shared.

"For example, if someone uploads a photo to Facebook but doesn't finish posting it -- maybe because they've lost reception or walked into a meeting -- we store a copy of that photo so the person has it when they come back to the app to complete their post," Engineering Director Tomer Bar explained in a post.

The bug affected as many as 6.8 million people across up to 1,500 apps, Facebook says, and it was active for 12 days before it was detected and fixed on September 25th. Companies are supposed to disclose data breaches within 72 hours under EU General Data Protection Regulation rules, though Facebook told TechCrunch it needed some time to investigate the bug's impact and prepare a notice for affected users in various languages. Still, the delay could land Facebook in hot water with EU regulators.

Next week, Facebook will give developers tools to figure out if the bug affected their app/apps, and help them delete any images they aren't supposed to have. If you were impacted, you should receive a notification directing you to a Help Center article that will lay out the apps you use that the bug affected. Though Facebook is working with developers to destroy their copies of images they shouldn't have, it's probably worth logging into those apps to check which of your photos are there.

It's another privacy setback for Facebook at a time when it can barely afford the PR hit. The company is still trying to recover from the Cambridge Analytica scandal, for one thing, and just last week, some details emerged of Facebook's approach to handling user data. For instance, it granted some companies special access to people's personal information.