News is breaking that Facebook has exposed the private photos of an estimated 6.8 million users, due to an API bug. The bug allowed access to photos beyond the third-party app request, pulling their timeline photos, Facebook Stories, Marketplace photos, in addition to photos they’d uploaded to Facebook but never shared.
Facebook says the bug impacted users between Sept. 13 to Sept. 25, 2018. The company has said users impacted by this Facebook API bug have been notified with an alert (notification) in Facebook. IT security experts commented below.
“Facebook failed to report this bug to Europe’s Information and Data Protection Commissioner (IDPC), putting the company at risk of receiving sanctions under GDPR. However, that’s likely the least of Facebook’s worries. Mishandling the disclosure of another serious security incident this year not only gives the company a poor public image, it can also affect their stock price over the long-term.
Facebook joins Google+ as another social media platform affected by an API bug in recent news proving that most organizations today – including tech giants – do not have adequate visibility into the hundreds of vulnerabilities and other threats facing their networks that could lead to unauthorized exposure of sensitive information. Even when gaps in security are detected, most companies struggle to decide which remediations to prioritize, given limited IT resources and manpower. With 2019 around the corner, we will start to see organizations adopt security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritized fixes based on potential business impact.”
“If we take Facebook at their word that the exposure only ran for 12 days, I think it’s best to assume this was caused by a bug in a code update (rather than, say, a poorly thought out security policy). Preventing bugs like this from making it to production takes an organized effort across the team. Secure code review, automated testing, and auditing are all needed to help defend against insecure code pushes. When these review steps aren’t in place, or are circumvented in the name of efficiency, breaches and information leaks will happen. Organizations should look for ways to automate these processes to make it easier to vet new code before it goes live.” .
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.