News is breaking that Facebook has exposed the private photos of an estimated 6.8 million users, due to an API bug. The bug allowed access to photos beyond the third-party app request, pulling their timeline photos, Facebook Stories, Marketplace photos, in addition to photos they’d uploaded to Facebook but never shared.
Facebook says the bug impacted users between Sept. 13 to Sept. 25, 2018. The company has said users impacted by this Facebook API bug have been notified with an alert (notification) in Facebook. IT security experts commented below.
Mark Weiner, CMO at Balbix:
“Facebook failed to report this bug to Europe’s Information and Data Protection Commissioner (IDPC), putting the company at risk of receiving sanctions under GDPR. However, that’s likely the least of Facebook’s worries. Mishandling the disclosure of another serious security incident this year not only gives the company a poor public image, it can also affect their stock price over the long-term.
Facebook joins Google+ as another social media platform affected by an API bug in recent news proving that most organizations today – including tech giants – do not have adequate visibility into the hundreds of vulnerabilities and other threats facing their networks that could lead to unauthorized exposure of sensitive information. Even when gaps in security are detected, most companies struggle to decide which remediations to prioritize, given limited IT resources and manpower. With 2019 around the corner, we will start to see organizations adopt security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritized fixes based on potential business impact.”
Bryan Becker, Application Security Researcher at WhiteHat Security:
“If we take Facebook at their word that the exposure only ran for 12 days, I think it’s best to assume this was caused by a bug in a code update (rather than, say, a poorly thought out security policy). Preventing bugs like this from making it to production takes an organized effort across the team. Secure code review, automated testing, and auditing are all needed to help defend against insecure code pushes. When these review steps aren’t in place, or are circumvented in the name of efficiency, breaches and information leaks will happen. Organizations should look for ways to automate these processes to make it easier to vet new code before it goes live.”