Leaf&Core

Yet Another Facebook Security Flaw Leaks Photos

Reading Time: 4 minutes.

Is it that time of the week already? Time for some more bad news about everyone’s least favorite—yet still somehow necessary—social network, Facebook! They’ve played fast and loose with permissions and privacy, allowed unprecedented access to your data and your friends’ data, enabled sexism, allowed hate speech, sold a child bride, and contributed to (and downplayed) genocide. Plus, they’ve denied everything along the way. Now, they’re settling on allowing security flaws that give third party developers complete access to your photos. Facebook fixed the issue back in September. Now, nearly three months later, Facebook is telling us about it.

I guess it would have been too much bad press in September to tell us then. For the past three months, developers that have been granted access to these photos still have access. Facebook is working to get them to delete the photos, and you can disable photo sharing in settings.

Of course, if any of those apps were malicious, it’s already too late. Your photos have been stolen, and you were too slow to stop them. Not that you can be blamed, you didn’t know about it until just now.

What the Leak Was

Facebook “security” broken again.

 

Facebook’s leak included over 6.8 million Facebook users. Those users may have used one of 1,500 apps. The breach was open for 12 days in September, from the 13th to the 25th. Facebook discovered the bug on September 22nd, but wasn’t able to fix it for three days.

These 1,500+ app developers were able to get their hands on your Facebook photos. All of them, even the ones that were private or set to “Only me.” Furthermore, the developers were able to access photos you didn’t even upload. If you started a photo post, either by accident or purposefully, and decided not to complete the photo, Facebook stored the photo anyway. It was saved as a draft that you had no access to or ability to delete. Third party Facebook developers were able to get their hands on those private photos as well.

“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

– Tomer Bar, Facebook Representative

Facebook is only telling users now because they’re finally ready to roll out an initiative to ask developers nicely to delete any photos they may have obtained through the bug. They’re under no real legal obligation to do so though, and Facebook would not be able to easily verify whether or not they stored your photos. Even with server logs, they’d still have a hard time proving that someone didn’t simply take screenshots of the images, used a capture card, or simply deleted or spoofed the logs. Frankly, Facebook can do next to nothing to ensure your photos are safe.

Facebook May Have Broken European Law

In Europe, the General Data Protection Regulation (GDPR) requires prompt information regarding breaches. Because Facebook waited months to tell regulators about this breach, far more than the 72 hours allowed by law, Facebook could face penalties in Europe. As Facebook uncovered the flaw on the 22nd, and only had a fix on the 25th, they likely decided not to disclose the breach because they didn’t have a fix yet and knew it would look bad.

In the United States, where companies are generally unrestricted and allowed to treat their customers and users poorly, Facebook will see no penalties.

What You Can Do

Tinder has quite a few permissions, but that’s by design.

Settings > Apps and Websites > View and Edit (ON EACH ONE)

Unfortunately, Facebook’s privacy and security are intentionally obtuse. The goal is for you to expose as much of your data as possible, while still claiming you have the option not to. That’s how Facebook makes their platform valuable to developers.

First, go into settings. On Web, this is in the little drop down menu from the triangle on the top right. On Mobile, it’s a bit more difficult to find. First, it’s in the 3 bar menu on the lower right. Next, scroll to the bottom and select Settings and Privacy, then Settings. From Settings on web, you want “Apps and Websites.” On Mobile, this section is called “Logged in With Facebook.”

Here, you can view and edit the security settings for each app. You will have to search through them individually. There’s no sorting based on permission. You just have to work. Facebook doesn’t make this easy because if it was easy, you’d ensure that apps don’t have so many permissions. Your data is why developers find Facebook login attractive. This is why we use it.

If you’re expecting a list of the 1,500+ developers who have your photos, too bad. Facebook is refusing to release this information. You’ll just have to search for yourself. My guess is, the list contains many disreputable developers, and Facebook doesn’t want to admit that your photos were likely stolen maliciously.

This Leak’s Impact

Hiding from Facebook is harder than hiding from a super powered P.I.

I don’t know about you, but I consider everything I upload to Facebook to be the public’s. Facebook’s security is as strong as a wet newspaper. Furthermore, I think we all know that Facebook is little more than a tool to keep us distracted so advertisers can shove targeted ads into our faces. Still, there’s a reasonable expectation of privacy and security, especially since leaked photos included ones you never actually posted.

A stalker could work on one of these apps or platforms and have access to your photos, even the ones you haven’t shared. Someone building profiles on you could use Facebook’s security breach to steal your photos, run them through machine learning, and tag people and objects in them, gaining more information on you than you allowed. Facebook’s lax security has, once again, put its users in danger.

This is, as far as Facebook’s leaks and problems, a small one. Had this been any other social network or service, users would be furious. Facebook leaked our photos, even the ones we didn’t actually post? That would be a scandal that would destroy most companies. Fortunately, we’ve already lowered the bar for Facebook so low, that no one’s surprised and the impact will be small.

Knowing that though, don’t you think it might be time to reduce or eliminate your Facebook usage?


Sources:

Exit mobile version