Experts Comments On Facebook Reveals Another Privacy Breach, This Time Involving Developers

Facebook has quietly revealed another privacy breach involving approximately 100 developers. On Tuesday, Konstantinos Papamiltiadis, Facebook’s Director of Platform Partnerships said in a blog post that the names and profile pictures of users connected to Groups and the system’s API were accessible.

Before April 2018, group administrators could authorize an app for a group they managed, giving the application developer access to this information. Despite restricting information access to just the group’s name, the number of users, and post content — unless users opted-in to share their name and profile picture — in April last year, Facebook says that some apps retained access to this additional data until recently, ZDNet reported today.

Joseph Carson, Thycotic,  Chief Security Scientist
November 07, 2019
FACEBOOK must prioritize privileged access management best practices and apply the principle of least privileged.
Another major FACEBOOK data breach resulting from poor API Access security controls. API Access should be treated as privileged and any access to API’s should follow privileged access management best practice security to ensure that access is approved and authorized. APIs typically allow automation and integration to ensure that applications can perform the tasks to function properly however m ....
[Read More >>]
Will LaSala, Director of Security Services, Security Evangelist ,  OneSpan
November 07, 2019
Now Facebook has made a change to their privacy policy and is ensuring that applications adhere to that policy.
In my view, Facebook was reviewing their policies and how they were implemented, then came across an unintended flaw in their APIs that allowed certain developers access to information that they now restrict. From Facebook’s explanation on their blog, most of these apps were designed to help manage people within a group. The most important thing to remember here is that the original group admini ....
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
November 07, 2019
Additionally, when settings change or new entities gain access to data, users should be alerted to the change.
As Facebook have demonstrated over the years, maintaining a matrix of permissions for any account is challenging. This comes not only from how privacy expectations are communicated and set, but through how they might be verified. Looking specifically at Groups, while a Group administrator might authorize an application to access certain aspects of their Group, individual users might have a differe ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :

In this article