A developer uncovered a Facebook vulnerability which granted access to the photos taken on mobile devices synced to Facebook. Up to 6.8 million people who gave permission to third-party apps unwittingly allowed those developers to view the photos they took. This includes photos those they did not explicitly share with Facebook.
Another Security Breach for Facebook
Facebook is still reeling from a data breach that affected 30 million of its user accounts in October. This latest vulnerability was exposed by an independent developer Laxman Muthiyah. He describes how he discovered it and brought it to Facebook’s attention in an article published in The Zero Hack. It’s an interesting, if somewhat technical read. Facebook appears to have corrected the problem within hours. But it is unclear how many users’ private photos were exposed to third parties. It may never be known if any of those photos were downloaded by the developers of those apps or by hackers who gained access to those apps. Facebook believes the problem may have lasted from September 13 through September 25 of this year.
Facebook Mobile App Automatically Synced and Shared Photos
The cause of the problem is technical but it involves three parts. First, when a user installs the Facebook mobile app on their mobile device, the default setting is to activate a feature called “Sync Photos”. This creates a backup of all photos (up to 2 GB) taken on the device to Facebook. Photos are backed-up automatically whether they are explicitly shared or not. Second a user gives permission for a third-party app within Facebook to access their photos. That app is supposed to have access only to the photos the user shares on his or her timeline.
Third a vulnerability allowed third-party apps to access not only the photos they were granted permission to see but all the other photos backed up to a user’s account such as in Marketplace or Facebook Stories. These are not photos the app is supposed to be able to have access to. Facebook says that up to 1,500 apps built by 876 developers may have been affected by this security breach. It’s unclear how many of those apps were themselves vulnerable to misuse.
What Should You Do?
Facebook says they have already corrected the problem and plan to notify the people affected. Unfortunately, it isn’t clear what if anything you can do about the risk you were exposed to. Facebook recommends that you review what apps you share photos with and modify those settings. MyProfyle recommends you take this a step further and urn off the default photos sharing between your device and Facebook. We understand why Facebook wants your photos but you really don’t need to backup your photos and videos to Facebook. There are many other options to backup your data that don’t share it with third parties.
At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.