Facebook says new bug allowed apps access to private photos of up to 6.8M users

I <i>never</i> assume that “settings” guarantee what they claim. It’s just not practical even with good intentions, for a single non-public code base.<p>As a developer, I know it is hard to implement something once, harder to implement consistently across multiple interfaces, and damn near impossible to keep correct years later after employee turnover and other twists.<p>The sad thing is that it costs a ton more money to do things really well, and companies can basically take advantage of the low price of doing things poorly until finally forced. And by then, they have tons of money so <i>they</i> can comply but any startup is screwed because now it costs more for everyone, even those entering the game.

Facebook is a global database of political dissidents, queer persons, apostates, and other categories of people whose physical safety is put in peril when their personal lives are leaked.<p>Facebook <i>surely</i> must be heavily fined and regulated for their misbehavior, because to fail to keep Facebook data safe is to put lives at risk.

&gt; &quot;We&#x27;re sorry this happened.&quot;<p>That about sums it up for all these privacy breaches these days. It&#x27;s getting to the same level of &quot;thoughts and prayers&quot; for tragedies. No actual change or consequences for the problems happening, just empty &quot;sorries&quot; and &quot;promises&quot; that it won&#x27;t happen again&#x2F;they&#x27;ll get it fixed. I don&#x27;t know if this is a GDPR violation or not (as someone else asked), but if it is, I hope we start actually seeing action of these sorts of things.

“Private” photos that people uploaded to Facebook.<p>Sounds like a good time to reiterate the advice: Don’t upload things to the internet that you don’t want to be on the internet. That way there won’t be any of your things on the internet that you didn’t want to be there.

People here are calling for draconian measures without considering low-hanging fruits first - why not just require the platform to disclose this within its primary medium?<p>Bright big popup right over main facebook.com (and peripheral webs&#x2F;apps) dismissable only if you scrolled it all the way down, confirmed to have read it, saying &quot;private photos of millions of users were leaked&quot; in big bold letters, would go a long way.

If there’s one thing that Facebook has been highly successful at, it’s making people numb and uncaring about any of these “bugs”.<p>Like the saying goes, “One death is a tragedy; one million is a statistic” — Facebook has made all its privacy blunders and issues over many years a statistic...something people may nod their head at, feel bad for a moment and go back happily to the same company’s platforms.<p>Unless lawmakers around the world do something, nothing will materially affect Facebook (the company). Even if they do, I personally have no faith that the company is capable of changing unless people at the top, like Mark Zuckerberg and Sheryl Sandberg, are out.

I think it should be clear to everyone at this point that nothing on Facebook is private. Don&#x27;t put anything there you wouldn&#x27;t post publicly.

Remember when Facebook wanted you to upload nudes so they could help keep them off of Facebook and the internet...yeahhh hopefully no one trusted them with that. Also are there even any safeguards preventing private photos like these or even nudes from not being able to be viewed by any admin? I hope there is...

&gt; <i>The bug also impacted photos that people uploaded to Facebook but chose not to post.</i><p>What about, for example, pictures sent in a private message?<p>I&#x27;m so very glad I deleted my account months ago.

The Irish Data Protection Commission says that it opened a broad investigation into Facebook&#x27;s GDPR compliance in light of numerous data breaches - <a href="https:&#x2F;&#x2F;www.ft.com&#x2F;content&#x2F;d796b5a8-ffc1-11e8-ac00-57a2a826423e" rel="nofollow">https:&#x2F;&#x2F;www.ft.com&#x2F;content&#x2F;d796b5a8-ffc1-11e8-ac00-57a2a8264...</a>

As usual, I&#x27;d like to point out how scummy this site really is.<p>The paywall advertises a &quot;Premium EU Ad-Free Subscription&quot; which is more expensive than the standard subscription and explicitly states &quot;No on-site advertising or third-party ad tracking&quot; as one of the perks.<p>Trying to buy it has the following:<p>&gt; By subscribing, you agree to the above terms, the Terms of Service, Digital Products Terms of Sale &amp; Privacy Policy.<p>On the privacy policy, we have this:<p>&gt; hen you use our Services, third parties may collect or receive certain information about you and&#x2F;or your use of the Services (e.g., hashed data, click stream information, browser type, time and date, information about your interactions with advertisements and other content), including through the use of cookies, beacons, mobile ad identifiers, and similar technologies, in order to provide content, advertising, or functionality or to measure and analyze ad performance, on our Services or other websites or platforms. This information may be combined with information collected across different websites, online services, and other linked or associated devices. These third parties may use your information to improve their own services and consistent with their own privacy policies.<p>There is absolutely no mention of the &quot;Premium&quot; ad-free subscription in the privacy policy at all, so they are still granting themselves the right to stalk you all over the place <i>even</i> with the premium, more expensive subscription.<p>Not to mention, the privacy policy page itself loads a handful of different trackers before any kind of consent was even granted. I can see Google Analytics, something from &quot;c.go-mpulse.net&quot;, something else from &quot;bam.nr-data.net&quot; explicitly sending my user-agent in the URL (why? They&#x27;d get it in the headers anyway), Google News JS, Google Pay and the New Relic JS agent.<p>My only response to this is a big &quot;fuck you&quot; and this link: <a href="https:&#x2F;&#x2F;outline.com&#x2F;zd5du7" rel="nofollow">https:&#x2F;&#x2F;outline.com&#x2F;zd5du7</a> so you can read the content without any of that garbage and without paying them since they don&#x27;t even deserve a single penny.

I needed to change my phone number for an online account for a major well known transportation company. The app offers a way to do this, and receive a text message containing a verification code. Upon receipt the code is autoentered into the app, but immediately got an error that said I had to open a support ticket which can only be done with a web browser, not in app.<p>Customer support by email says I have to provide a copy of my driver&#x27;s license or passport to &quot;secure the account&quot;. I said that&#x27;s not reasonable, companies leak too much personal data so you can&#x27;t have anymore of mine, I&#x27;ll just open a new account. They replied they&#x27;d just change the phone number (now no longer requiring the required photo ID). They did and the end.<p>- No explanation why the verification code process would not work.<p>- None of my ID&#x27;s have either my email address, account number, or phone number, and the account doesn&#x27;t even have my name on it. Giving them photo ID does jack shit for the purpose claimed.<p>- If the account security is questionable, you should not only require text verification of the new phone number, but they should have removed my stored payment accounts, requiring me to reenter them. AFAIK the credit card verification requires CVV and phone number matching the credit card account. That seems like the right way to secure the account rather than bullshit photo IDs.

Didn&#x27;t they just launch a feature earlier this year telling people to upload their nudes so they could better detect when an ex miss-used them?<p><a href="https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2017&#x2F;nov&#x2F;07&#x2F;facebook-revenge-porn-nude-photos" rel="nofollow">https:&#x2F;&#x2F;www.theguardian.com&#x2F;technology&#x2F;2017&#x2F;nov&#x2F;07&#x2F;facebook-...</a>

On this topic, does anyone know if photo access granted to facebook apps on ios means facebook will upload all photos in the background?<p>Have never seen an analysis of it.

It&#x27;s too much to hope that Facebook takes a hint from Google and shuts down its social network to preserve user privacy, right?

How come Google never has had a breach? Do they do a better job with security? Is Facebook more of a target than Google?

Facebook&#x27;s release: <a href="https:&#x2F;&#x2F;developers.facebook.com&#x2F;blog&#x2F;post&#x2F;2018&#x2F;12&#x2F;14&#x2F;notifying-our-developer-ecosystem-about-a-photo-api-bug&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developers.facebook.com&#x2F;blog&#x2F;post&#x2F;2018&#x2F;12&#x2F;14&#x2F;notifyi...</a>

Where are the technical details on what the bug was and how it was possible? Shouldn&#x27;t this be disclosed?

I’ll be interested in seeing what the number of affected users actually ends up being. As John Gruber at Daring Fireball has pointed out, Facebook has a rich history of giving initial numbers which tend to grow by orders of magnitudes over the coming weeks.

Someone needs to go Mr. Robot and 5&#x2F;9 Facebook&#x27;s servers. This is getting ridiculous.

As IT people, we owe it to our families to offer to self-host their social data on one of the many open-source platforms that are available.<p>Maybe spend some time over the Xmas period having &#x27;The Conversation&#x27; with our loved ones about their data safety?

Does it fall under GDPR violation?

Turns out solving 3000 Leetcode questions doesn&#x27;t teach you now to do security right

Unrelated, but I&#x27;d love to know how that article managed to get a picture of that Facebook sign without people standing in front of it. I drive by it daily and I&#x27;ve <i>never</i> seen it without people posing in front of it :)

At which point should we stop treating these things as bugs and start treating them like features instead?<p>Not this particular thing per se but, you know, it&#x27;s Facebook. As the recent history has proven these things kind of come with the package.

Since Facebook is walking away all the time without any consequences, this will happen again and again.<p>The long-term solution to this mess should come from users abandoning it which is happening gradually based on recent reports.

The more leaks there are, the more I feel that the mindset will shift from user data being an asset to a liability.

That privacy popup in NY really worked!

I mean, it&#x27;s a bug. Happens to everyone. Criticize them for the things they should be but don&#x27;t make a case out of everything.

Why is anyone still using FB&#x2F;Whatsapp&#x2F;Instagram? It seems the vast majority just don&#x27;t care at all about privacy.

Wasn’t there a point in time that fb wanted users to submit their nude photos so that they could better detect fake profiles ? Lol

Not very good at the data security thing. In other industries such as health care, there are tables that define fines and penalties. Maybe the same is needed here.

Most of the comments below are echoing the statement &quot;jail time for bugs!!!!!&quot; and similar sentiments, and therein lies the problem.<p>&quot;bugs&quot; is a catch all word, it covers everything from a pesky typo in UI to bugs like this, severe security issues, meltdown&#x2F;spectre, VW bugs, and so and so forth.<p>Of course no jail time for a typo, but why not a jail time or severe financial and career consequences for severe bugs especially when it can be shown that a bug was caused due to intentional decisions, malicious intents, sloppy testing, rushed product etc. and not due to genuine mistakes - similar to medical malpractices.<p>Of course lawyers will love it, but it can improve the overall situation.<p>And yes, I&#x27;m a software engineers and do know what I&#x27;m talking about.