Ireland's Privacy Watchdog Probes Facebook Data Breaches6.8 Million Users' Private Photos Exposed, Triggering GDPR Investigation
Ireland's privacy watchdog is probing two data breaches at Facebook that exposed users' private information.
The latest privacy gaffe by the social network was revealed Friday, when Facebook warned that for a 12-day period in September, up to 6.8 million users' private photos may have been revealed to 1,500 apps built by 876 developers.
"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos," writes Tomer Bar, engineering director at Facebook, in a blog post. "We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between Sept. 13 to Sept. 25, 2018."
Facebook's single sign-on system, called Facebook Social Login or Facebook Login, allows users to access compatible third-party website services or mobile apps without having to log in again.
Ireland Probes Facebook Breaches
Under the EU's General Data Protection Regulation, Facebook had 72 hours to alert EU authorities to the breach, which it says it has done.
Ireland's Data Protection Commission, which is the national data protection authority in charge of enforcing GDPR, tells Information Security Media Group that it is probing Facebook data breaches (see: Facebook Submits GDPR Breach Notification to Irish Watchdog).
"The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018," a spokesman for the DPC tells Information Security Media Group, leading to it launching a full investigation last week.
"We have ... commenced a statutory inquiry examining Facebook's compliance with the relevant provisions of the GDPR," he says.
Ireland's DPC takes the lead on all investigations under GDPR that involve Facebook. That's because Facebook has its EU "main establishment" in Dublin, and so it qualifies for a one-stop-shop mechanism under GDPR that ensures that only the privacy watchdog in the country in which it is headquartered conducts any privacy investigations.
Some other technology giants, including Microsoft, Twitter, and soon, Google, also have their EU main establishments in Ireland.
Facebook didn't immediately respond to a request for comment on the DPC's probe.
Follows Privacy Feature Hack
Facebook's inadvertent private-photo exposure follows the social network warning in September that attackers had strung together three separate flaws to gain access to 50 million users' accounts (see: Facebook Breach: Attackers Exploited Privacy Feature).
Facebook says the latest flaw was inadvertent, and it hasn't said there are any signs that it was actively exploited. "The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos," Bar writes.
Even so, the problem has yet to be resolved, although Facebook says it will put tools designed to spot the image exposure in developers' hands this week. "We will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug," Bar writes. "We will be working with those developers to delete the photos from impacted users. We will also notify the people potentially impacted by this bug via an alert on Facebook."
Facebook also recommends that all users review which third-party apps they allow to access their photos and cancel access for any apps that should not have it.
Definition: Private Photos
What does Facebook mean by private photos? Facebook says any app to which a user grants photo access is only meant to see the user's timeline photos. But this API bug potentially also gave developers access to photos users shared on Marketplace, via Facebook Stories, or to photos they had uploaded but either chosen to not post, or not yet posted.
Facebook says it stores any photo that a user uploads but doesn't post for three days - in case they choose to finish their post - before deleting it.
Single Sign-On Downsides
The private photo exposure again involves anyone who used Facebook Login, which is Facebook's single sign-on system, also known as Facebook Social Login. It allows users to access compatible third-party website services or mobile apps without having to log in again.
But some information security experts have warned that security-conscious users should avoid social networks' SSO systems at all costs.
Any attacker who is able to steal a Facebook Login access token can use it to log into a user's connected services. At least to date, Facebook has no ability to forcibly revoke hijacked tokens (see: Facebook Breach: Single Sign-On of Doom).