It’s not Facebook’s year. The company has revealed a new bug was discovered in the photo API which may have let third-party apps access to user photos. The bug existed for almost 12 days.
Facebook addressing the developer community put out a post detailing the issue. Citing that a photo API bug may have affected people who used the Facebook Login, it said third-party apps got access to user photos for approximately 12 days from September 12, 2018 to September 25, 2018.
When user posts on his/her timeline Facebook generally gives apps permission to access these photos. But this bug gave developers access to other photos besides what they were authorized to. The bug gave the developers access to photos that user uploaded to Facebook but chose not to post it.
“For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” said the post on Facebook’s blog for developers.
The cybersecurity issue may have affected up to 6.8 million users and around 1,500 apps built by 876 developers. Facebook apologized for the mishap and said that the issue was fixed. They are planning to notify the people who were affected via an alert of Facebook.