A bug permitted apps to access photos you uploaded to Facebook but chose not to post

A bug that Facebook discovered in its photo API may have permitted some third-party apps that you granted permission to access your account to also retrieve photos which you uploaded to Facebook but chose not to post.

Facebook has now corrected the issue which occurred for twelve days between September 13 and September 25 and involved uploaded photographs from a whopping 6.8 million users. It believes the bug may have affected 1,500 third-party apps built by 876 developers.

It’s important to note that the only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos through the Facebook Login feature that many apps and websites use.

In other words, the bug did not impact photos privately shared via Messenger. Naturally, it wouldn’t have exposed photos never uploaded to Facebook from your camera roll or computer.

Facebook wrote in a blog post:

We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.

We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.

You can see an example of this user notification below.

To test if your account has been affected by this problem, visit Facebook’s Help Center. If no third-party apps have accessed photos you uploaded to Facebook but kept private, you should see a message saying that “Your Facebook account has not been affected by this issue and the apps you use did not have access to your other photos.”

Facebook clarified further:

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.

The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.

“We are also recommending people log into any apps with which they have shared their Facebook photos to check which photos they have access to,” the company cautioned.

Are you affected by this blunder?

Let us know in the comments.