5,000 App Developers Had Access to User Data Thanks to a Facebook Bug

Facebook Bug Exposes User Data

There's been a privacy-related incident at Facebook. For many, this isn't really much of a surprise. Mark Zuckerberg's social media has been involved in so many scandals, that nowadays, when people hear about the latest one, they don't tend to be particularly shocked or outraged. Instead, they tend to ask how bad is it.

Third-party app developers had access to data they shouldn't have had access to… again

The breach was announced by Konstantinos Papamiltiadis, VP of Platform Partnerships, in a blog post related to Facebook's new terms which limit the scope of information app developers can share with third parties. The problem lay with a similar mechanism that was put in place in the wake of the Cambridge Analytica scandal from early 2018.

As you may recall, the British consulting firm collected the personal data of millions of Facebook users and used it to fire targeted political ads at them. The incident led to a lot of red faces and apologies at Facebook, and it prompted the social media to implement certain mechanisms that would provide better security for users' private data.

One such mechanism was supposed to ensure that if a user didn't interact with a third-party app for a period of 90 days, the app would stop having access to the user's personal information. It turns out that this mechanism wasn't working, and up until recently, third-party developers could get people's data despite the fact that their apps were not actively used.

Facebook: It's not as bad as it sounds

Papamiltiadis knew that there would inevitably be some negative comments, and he was quick with the damage control measures. He pointed out that in total, around 5 thousand developers continued to have access after 90 days of inactivity, but he also said that Facebook fixed the issue immediately after learning about it. Crucially, the bug didn't result in the exposure of any personal data that the user hadn't opted to share initially. In other words, the only details that were exposed because of the bug are the ones that the users have changed after they've stopped using the app.

The potential damage for end users is somewhat limited, and some of you may think that the whole thing is no big deal. Look at it from a broader perspective, however, and you'll see that the problem shouldn't be played down.

Yet another blunder for Facebook

Facebook is by far and away the world's biggest social network. It is responsible for the personal details of more than 2 billion people, and when it says that it's implementing a mechanism to protect these people's privacy, it must ensure that it's working correctly. When things do go wrong, Facebook needs to share details of what happened exactly and why.

In this particular case, the disclosure left a few open questions. While we do know that 5 thousand developers might have had access to people's personal detail, we have no idea how many users could have been affected. We also don't know whether the bug was introduced recently or whether it has existed for the last two years.

In many people's eyes, Facebook's track record when it comes to privacy is not exactly spotless, and the lack of transparency in the disclosure of the latest incident is not going to do a lot to change their opinion.

July 2, 2020