Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Says A Bug May Have Exposed The Unposted Photos Of Millions Of Users (buzzfeednews.com)

Posted by msmash on from the weekly-Friday-security-disclosures dept.

A day after hosting a pop-up store in New York City's Bryant Park to explain how privacy is the "foundation of the company," Facebook disclosed that a security flaw potentially exposed the public and private photos of as many as 6.8 million users to developers. From a report: On Friday, the Menlo Park, California-based company said in a blog post that it discovered a bug in late September that gave third-party developers the ability to access users' photos, including those that had been uploaded to Facebook's servers but not publicly shared on any of its services. The security flaw, which exposed photos for 12 days between Sept. 13 and Sept. 25, affected up to 1,500 apps from 876 developers, according to Facebook.

"We're sorry this happened," Facebook said in the post. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users." Facebook has not yet responded to questions about whether company representatives staffing its privacy pop-ups yesterday were aware of this security flaw as they were meeting with reporters and customers to discuss privacy. Further reading: Facebook's lead EU regulator opens probe into data breach.

51 comments

  1. If you don't want it on the internet... by tmshort · · Score: 4, Insightful

    Don't post it to the internet!

    1. Re:If you don't want it on the internet... by Lucas123 · · Score: 1

      This.

    2. Re:If you don't want it on the internet... by ConceptJunkie · · Score: 1

      Agreed. Many of life's problems go away if you are not an idiot.

      --
      You are in a maze of twisty little passages, all alike.
    3. Re:If you don't want it on the internet... by Bradac_55 · · Score: 1

      To further compound the problem at least half of the worlds population is idiots (yes I'm being generous).

    4. Re:If you don't want it on the internet... by AndrewFlagg · · Score: 1

      that was an undocumented feature and by design. i see that all the time. its just gets reclassified as a bug when other eyes notice it and raise it as a bug.

    5. Re:If you don't want it on the internet... by sacrilicious · · Score: 2

      Don't post it to the internet!

      Let's not lose sight of the fact that it's not "the internet" that completely screwed the pooch here, it is *specifically* Facebook, and their long history of leaks, "oopses", non-apologies, etc is going to go on because their whole business model is premised on gathering and selling private data, and they have even less decency than most.

      My version of this advice would be "Choose a much better partner than Facebook in your quest for control over your data."

      --
      - First they ignore you, then they laugh at you, then ???, then profit.
    6. Re:If you don't want it on the internet... by Anonymous Coward · · Score: 0

      You are being conservative here. It is more like 80%.

    7. Re:If you don't want it on the internet... by Anonymous Coward · · Score: 0

      Goes up to 100% when associated with conservative.

  2. Accidentally on Purpose by Oswald+McWeany · · Score: 1

    Is it just me as the perennial skeptic, or does it almost seem like facebook has a leak or a revelation about something way too often for it to be accidental. It's almost like they're "accidentally on purpose" doing things so that they stay in the news and people don't forget about them.

    No news is bad news right? Let's leak some photos so we can patch the bug next week and stay in the news. They wouldn't do that right? Or would they?

    --
    "That's the way to do it" - Punch
    1. Re:Accidentally on Purpose by Bobrick · · Score: 1

      Hi, we're very sorry about having a leak or a revelation about something way too often for it to be accidental. We promise we'll do better in the future. Starting this week, we'll be rolling out new tools for developers to have less leaks or revelations about something too often for it to be accidental.

    2. Re:Accidentally on Purpose by Anonymous Coward · · Score: 0

      The NSA has infiltrated the development ranks at most of the top tech companies. They routinely sabotage the security. Whether it's hardcoded backdoor passwords, inadequate security controls, weak encryption, etc., it's all part of the plan.

    3. Re:Accidentally on Purpose by Impy+the+Impiuos+Imp · · Score: 2

      Journalists should follow the money, for people looking to sell fb short, or waiting for it to drop as a buying opportunity.

      I first realized this when, the same week Taser went public, suddenly there was a big story about tasers killing people.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    4. Re:Accidentally on Purpose by Anonymous Coward · · Score: 0

      I've learned a long time ago that people don't appreciate perfect software. I still strive for perfection anyway even if not rewarded. What seems to work for people who are getting title upgrades and making the big bucks is: change code often, change code fast, fix bugs slowly, profit.

    5. Re:Accidentally on Purpose by Anonymous Coward · · Score: 0

      Last time they accidentally made a bunch of private posts public, a professor at rutgers got fired because he was sharing a bunch of anti-semitic troll shit with his friends. I'm sure Facebook staff saw all that shit and decided to "accidentally" make it public. His defense was "i thought that i had made that private just between my friends". woopsy.

    6. Re:Accidentally on Purpose by rtb61 · · Score: 1

      This is worse story that Facebook is trying to make it look. Those private photos, could be exceedingly private, as in personally pornographic in nature. There are laws against publishing explicit personal photos of inviduals, Facebook has factually broken those laws and should face full criminal penalties.

      Remember when all of a sudden a series of web sites banned porn not long back, guess why the panic. Well at what age do females start to feel the urge for expensive clothing, makeup, jewellery and of course shoes and at what age do they start getting targeted by intense marketing and how do you get that money. Now you have the very humorous thot troll, dob in a thot to the IRS and the big reaction by thots to that would have trigger an IRS internal investigation. So a review uncovers the age of many of the upcoming self publishing porn producers and wham a lot of those social media sites that allow users to earn money with posting, well, where allowing the publishing of really troublesome content, for which don't pass GO, no $200, straight to jail they should have gone.

      You can start to see where this would be extremely troubling for Facebook.

      --
      Chaos - everything, everywhere, everywhen
    7. Re:Accidentally on Purpose by Anonymous Coward · · Score: 0

      This is worse story that Facebook is trying to make it look. Those private photos

      They weren't private, they were uploaded to Facebook.

      When you put something on somebody else's computer, it's no longer private.

  3. Another NSA-serving "bug".. by Anonymous Coward · · Score: 1

    Oh darn. Oopsie!! Such accidental!

  4. Its always a bug now by Anonymous Coward · · Score: 1

    I'm sure it was just a bug Facebook. Their all bugs aren't they? So glad I decided to part ways with Facebook, probably should have never signed up to begin with.

  5. I just bought Blackmail stock by nospam007 · · Score: 1

    I'll be so rich.

    1. Re:I just bought Blackmail stock by Aighearach · · Score: 1

      I tried to, but I ended up with BLCM and it was a total dud.

      Reminds me of the time my friend recommended Cysco to her grandma, and she bought Sysco instead.

      Except, Sysco was a good buy.

  6. Exactly. by Anonymous Coward · · Score: 0

    And don't be selective: not OK on facebook but OK on LinkedIN.

    NOPE! Neither.

    I deleted my profile from LinkedIN after I was phished too many times. These "recruiters" were really sneaky and fortunately, I'm cynical enough to check every inquiry I received.

    And when an organization recruit exclusively from LinkedIN, I say, "Make an exception for me or forget it." Goodwill.
    Goodwill skims LinkedIN and recruits from there.

    When I expressed my concerns, I was told by the IT director, "No, it's not like facebook where people are posting things on your wall (or whatever it's called)."

    He didn't get it. He didn't get why I didn't want to post ANY personal information - especially something so sensitive as my work skills and history and other things. Nope, I'm not working for a clueless idiot. Like Goodwill Industries.

  7. Wait, what? by Anonymous Coward · · Score: 0

    So their solution to accidentally sharing photos users uploaded (supposedly for some purpose) but didn't want shared is going to be to delete the photos? This is yet another reason not to store shit "in the cloud" (or on other people's computers). Ridiculous if that's really what they think will "fix" the problem.

    1. Re:Wait, what? by Aighearach · · Score: 1

      This shows that even if you thought about posting something to the cloud, but decided to click "cancel" instead, it might already be too late!

      Even just thinking about posting something to facebook is enough for it to leak out into public. Yikes.

  8. Proper etiquette by ConceptJunkie · · Score: 1

    You know, it's proper etiquette to provide a torrent link for stories like these. j/k

    I'm almost becoming inured to these data leak stories. I use Facebook, but I would never post photos that I would care about being made public... that's why I put them up there. If anyone is interested in looking at some big, doughy white guy, and the food he cooks, more power to them. I figured out 25+ years ago that I simply wouldn't post anything online that I wouldn't want to see on the front page of something like Reddit, or that I wouldn't want my Mom to see.

    I'm more concerned about organizations like Equifax, who seem to have suffered no significant effects from leaking important information about practically every adult in the country that could seriously affect people's lives.

    --
    You are in a maze of twisty little passages, all alike.
  9. Amateur Web Site at Best by Anonymous Coward · · Score: 1

    Facebook increasingly resembles some amateur web site (filled w home pages) run by beginners who overstate their technical skills

    1. Re:Amateur Web Site at Best by TWX · · Score: 2

      A little secret for you, the bulk of IT is run by beginners who not only overstate their technical skills, they also personally overvalue their technical skills. In short, they don't really understand how poor their skills are.

      Now consider that as a basic starting point for a developed platform, then factor it in with the software running on that platform, for the higher-level protocols that let that software communicate, and for the staff that maintain the systems, and one can see why breaches are so damn common.

      --
      Do not look into laser with remaining eye.
    2. Re:Amateur Web Site at Best by Aighearach · · Score: 1

      It is what Geocities would have been if they implemented chat.

  10. You know it makes sense... by Anonymous Coward · · Score: 0

    Delete your Facebook account, do something more useful with the time saved and rest easy knowing they can't monetise you any further!

    https://www.facebook.com/help/...

  11. Alternative facts by Anonymous Coward · · Score: 0

    “We care deeply, as deep as a company can care about privacy,” vice president of marketing solutions Carolyn Everson said in an interview with Digiday on Thursday.

    "We care deeply about privacy”. -- Facebook VP

    Bwa-ha-ha-ha!

    “as deep as a company can care”

    Ah, so "not at all", then. A case of "what the big print giveth, the fine print taketh away".

  12. Huh? by Anonymous Coward · · Score: 0

    A day after hosting a pop-up store in New York City's Bryant Park to explain how privacy is the "foundation of the company,"

    What the actual hell kind of bullshit is this?

    The entire purpose of Facebook is to collect and sell your data, and nothing Zuckerberg has ever done supports the conclusion that privacy is the 'foundation' of Facebook.

    I don't use Facebook any more (did for about 6 months with an account populated with false information), and block all of their domains in all of my browsers ... but this is the most fucking bold faced lie I've seen from them in a while.

    Who the fuck actually believes that privacy in any way factors into anything Facefuck have ever done?

    I trust what Facebook says about as far as I can throw Zuckerfuck off a fucking roof. When someone lets me throw him off a roof, I'll give you an answer other than "minus infinity".

    Until then, every Facebook spokes person ever is presumed to be a lying sack of shit, because so far they pretty much are.

    1. Re:Huh? by Impy+the+Impiuos+Imp · · Score: 1

      The entire purpose of Facebook is to collect and sell your data, and nothing Zuckerberg has ever done supports the conclusion that privacy is the 'foundation' of Facebook.

      Not quite nothing. The advantage it gave over MySpace that let it overwhelm it was that you could limit views to your friends.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  13. Common file sharing hack is this by 140Mandak262Jamuna · · Score: 1
    Unposted messages and photos are used to share information privately as a sort of ad-hoc drop box.

    People share log-ins and save things as draft for the party to read. Some under the impression it is really private. I was shocked to see some General commanding our troops in Afghanistan using it to share notes with some lady he was having an affair with. Talk about blackmail vulnerability!

    So impact of this bug is going to be quite big.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  14. It wasn't even posted though... by SuperKendall · · Score: 3, Interesting

    The thing is, these were images that were not technically posted.

    It's interesting because Flickr has a feature that makes me wonder, where you can keep your whole camera roll uploaded - it's not made public, just stored.

    Given this Facebook breach, keeping private photos like that on Flickr seems like it may be a bad idea as well... if you have anything you would mind being leaked anyway.

    I wonder at what point private photo leaks will significantly start impacting politics (maybe they are already).

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re: It wasn't even posted though... by Anonymous Coward · · Score: 0

      Wrong. The photos were uploaded. Whether or not they were "posted" depends on how you define that word.

  15. So they ask for your nudes..... and then... by Puls4r · · Score: 2

    https://www.independent.co.uk/...

    So they want us to upload nude photos to stop revenge porn, then they allow access to all these other photos. Ho boy.

  16. Why? by Anonymous Coward · · Score: 0

    Why is anyone using Facebook anymore? I think these must be the same people who are still using leaded gasoline in their cars and asbestos insulation in their homes.

  17. cloud computing by Anonymous Coward · · Score: 0

    It's called cloud computing, not secure computing.

  18. "privacy is the foundation of the company" by thomn8r · · Score: 1

    Best joke I've hear all week! Oh, you mean monetization of privacy; ok, that makes more sense.

  19. The more we learn about Facebook... by QuietLagoon · · Score: 1

    ... the worse Facebook looks.

  20. The Antonym by Anonymous Coward · · Score: 1

    RE: privacy is the "foundation of the company"

    Are they so accustomed to lying that they can keep a straight face now when they say things like this?
    Facebook is the antonym of Privacy! They've always been the last to adopt any security practices, and only when forced.

  21. transitivity retainer by epine · · Score: 1

    Does Facebook's genie-stuffing operation also extend to Facebook partners whose own security melted down while they were in possession of illicit private-image contraband (and their partner's partners, too, et al and sundry)?

    If so, they might want to maintain the CDC on a warm and cozy legal retainer (and the CDC might want to base itself in a larger home city—there are some things Atlantis just can't do).

  22. Why the access is there in the first place? by Anonymous Coward · · Score: 0

    The real WTF here is that the third party developers have access to users' photos (private or not) in the first place, and that they are STORING those photos themselves for whatever use (as FB is now working with them to remove the private ones).

  23. "May Have" by Greyfox · · Score: 1

    They mean "did."

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  24. but now they arre in the public domain by Anonymous Coward · · Score: 0

    we can run face recognition and other marketing profile privacy invasion shit on them

  25. Huge problem with phones by Anonymous Coward · · Score: 0

    Even if you don't explicitly post your pictures on the internet, your applications on your mobile phone, including facebook, mine photos taken from your camera.

    When you log into facebook from a new device or IP address, it often asks you to identify persons in random pictures. Those pictures aren't ones that users have even shared.

    People here like to tout how clever they are by saying how they disable permissions on their phone, etc, etc, but we're either using Apple's OS which is known to snoop on user's data, or Android, which is an OS by an ad-company.

    The only way for now, at least is to take pictures using a dedicated camera device, but even that you shouldn't enable its wifi feature - until they start going rogue too like TV manufacturers where even disabling wifi - they still constantly ping for wifi signals to connect to.

  26. Checking the URL.... by ZoomieDood · · Score: 1

    Hmmm... Slashdot. News for Nerds...

    Wait. Facebook lacking privacy of users' info?

    This isn't NEWS! It's SOP.

  27. "Move fast and break things" by Anonymous Coward · · Score: 0

    When your core engineering philosophy is to only worry about short iteration times with no regard for quality, it's only natural to expect this sort of stuff.

    Facebook is no longer a scrappy start-up, it's a multi-billion dollar company with a mature product. The mantra of "move fast and break things" should have been killed and buried a long time ago.

    I don't work there, but my view is that the company is a mess. I get calls and emails from recruiters there a few times a year asking me if I'm interested now. This is despite me saying each time that I don't want to work for a company I consider to be unethical and who's products I do not use. My replies are obviously in the recruitment file they have on me, but they continue to hit me up.

  28. all im hearing from facebook lately is we're sorry by Anonymous Coward · · Score: 0

    so you know that the only thing that they really are sorry for is that they keep getting caught.