Facebook said that about 100 developers of primarily video streaming and social media management software could have exposed data to private group members such as name and profile pictures.
This happened following Facebook restricting or deleting various developer APIs, including the Group APIs, which gave the app devs extended group information access for longer than intended after their applications maintained access to the data.
“Today we also have about 100 partners who may have accessed this information, because we announced restrictions on the Group APIs, even though the number that we have actually done is probably smaller and declined over time,” said Konstantino Papamiltiadis, Director of Developer Platforms & Programmes on Facebook.
“We know that over the past 60 days at least 11 partners have accessed data from group partners,” added Papamiltiadis in the blog post announcing improvements to group API access.
Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group. But as part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in. – Konstantinos Papamiltiadis
Facebook notes that developers who may have accessed group membership details after announcement of Group API restrictions in April 2018 were asked to remove member data which could be held even if no evidence of abuse has been found so far.
The company is also planning audits to verify that developers have removed the data as requested.
“We want to keep our platform safe and to treat our developers equally,” said Papamiltiadis. “The new framework of our deal with the FTC, as we said in the past, means more accountability and transparency in how we build and maintain products.”
One of many health and confidentiality cases
The event is part of a long list of social network security and privacy bugs which in recent years have affected the Federal Trade Commission (FTC) in July 2019, which requested Facebook to pay a five billion dollar penalty after the conclusion of the Cambridge Analytica investigation.
This was the highest ever violation of consumer privacy penalty paid by a company and one of the largest in the US. Government for any kind of infringement.
As part of this agreement, the firm was commissioned to implement a new system for privacy and data security as well as additional monitoring tools for the FTC.
The agreement also resolved charges that Facebook violated the FTC consent order of 2012 “by disappointing users with their ability to control their privacy.” At the end of March 2019, the company revealed that the Facebook and Instagram passwords were saved for years in plain text on several internal data storage systems
In September 2018 Facebook said that 50 million users were affected by the security vulnerability associated with Facebook’s “View As” function and allowed malicious third parties potentially to access the account information of the users affected. One month later, Facebook said 30 million of those users were stolen from attackers tokens.
In April 2018, Facebook announced that Cambridge Analytica had access to the information given to over 87 million people (80% of them US citizens), not 50 million, as the company initially reported.