Skip to content
Naked Security Naked Security

Facebook confesses 100 devs may have accessed leaked Groups data

It shut down that access in April 2018, or at least thought it did. At least 11 improperly accessed data in the last two months.

Even after Facebook locked down its Groups API in April 2018 to keep developers from accessing user data – including the names and profile pictures of people in specific, sometimes secret, groups – roughly 100 developers might still have gotten at that user information, the platform said on Tuesday.

Konstantinos Papamiltiadis, Facebook’s director of platform partnerships, said in a News for Developers post that the access has inappropriately been left open and that data may have been accessed by some developers for over a year. “At least” 11 partners accessed group members’ information in the last 60 days, he said.

When it made the change in April 2018, Facebook explained that at the time, apps needed the permission of a group admin or member to access group content for closed groups, and the permission of an admin for secret groups.

The apps help admins do things like easily post and respond to content in their groups. Facebook said that it wanted to better protect information about group members and conversations, so it changed things around: with the newly locked-down Groups application programming interface (API), any third-party app would need approval from Facebook and an admin to ensure that the apps were actually benefitting the group.

It shut down the apps’ ability to access the member list of a group and removed personal information, such as names and profile photos, attached to posts or comments that the approved apps could access. After April 2018, if an admin authorized an app’s access, it would only get information such as the group’s name, the number of users, and the content of posts.

An app could still access information such as name and profile picture, but only if group members opted in to that data sharing.

Well, anyway, that’s the way it should have been.

During an ongoing review, Facebook found that some apps were still getting information such as group members’ names and profile pictures.

Most of the apps are for social media management and video streaming: they’re designed to help group admins manage their groups and to do things like help members to share videos to their groups. Facebook gave the example of a business that manages a large community that has members that span multiple groups: such a business could use a social media management app to provide customer service, including customized responses, at scale.

Papamiltiadis said that the number of developers that actually accessed the, supposedly off-limits, data is likely to be less than 100, and that the number has likely decreased over time.

Facebook hasn’t seen any evidence that the developers have abused their data access. Still, it’s asking them to delete any member data they may have retained and plans to conduct audits to confirm that it’s been scrubbed.

1 Comment

Fact is and we all know it , anything on facebook will be used by anyone for any purpose, except to our benefit. The more nefarious an operation, the more likely your data and you are bring used by them.
The answer is; put up data you want them to have, so we are in control of the manipulation!
Flesmih llik tndid nietspe dna.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?