Even if you didn’t post a photo on your Facebook timeline, a software flaw could have shown it to app developers.
The social network disclosed a photo API (application program interface) bug on Friday that affected up to 6.8 million people on 1,500 apps connected to Facebook, the company said in a blog post. The flaw is related to the permission you give for an app to access your photos on Facebook — like when dating app Tinder uses your photos to set up your profile.
The bug was caused by an error in a code update in September, Facebook said.
The API is only supposed to allow the third-party app to access photos that you share on your timeline, but the bug gave app developers complete access to other pictures, such as those uploaded to Facebook Stories or even ones that you uploaded but never posted.
“For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post,” Tomer Bar, Facebook’s engineering director, said in the blog post.
The issue didn’t affect photos in Messenger, Facebook said.
The bug lived for 12 days, between Sept. 13 and Sept. 25, according to Facebook. The social network said that it would be rolling out a tool next week for app developers to determine whether their users were affected by the security flaw. Facebook will also notify via alert the millions of people whose photos were exposed, the company said.
“We’re sorry this happened,” Bar said.
Although Facebook discovered the flaw in September, it didn’t notify the public for nearly three months because it was investigating the issue to find out how many people were affected, the company said.
A spokesperson said Facebook notified the Irish Data Protection Commission as soon as it figured out the breach was considered reportable under the European Union’s data protection laws, or.
“We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use people’s data — including when things go wrong. These types of notifications are designed to do just that,” a Facebook spokesperson said in a statement.
You can check which apps have access to your photos on Facebook in your privacy settings.
The flaw is Facebook’s latest security blunder. The company has been hit with multiple screwups related to privacy this year, and a loss of public trust has pushed Facebook to make efforts like hosting privacy pop-up events.
Facebook dealt with other controversies this year as well, including the massive Cambridge Analytica data abuse scandal, foreign influence campaigns and a major breach affecting 29 million accounts. That breach, announced in September, was also an issue with Facebook’s API, related to birthday videos on the social network.
Originally published Dec. 14 at 8:08 a.m. PT.
Update, 8:16 a.m. PT: Added a response from Facebook.