O Facebook anunciou que fotos de 6,8 milhões de utilizadores podem ter sido expostas por uma vulnerabilidades na Photo API, permitindo que aplicações de terceiros comuniquem diretamente com a API para fins de exfiltração.
“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.” reads a post published by Facebook.
As apps que recebem acesso às fotos podem aceder apenas a imagens partilhadas na cronologia do utilizador. A vulnerabilidade também poderia ter exposto outras fotos, incluindo aquelas partilhadas no Facebook Marketplace ou via Stories, e até mesmo fotos que foram apenas enviadas, mas que não foram publicadas.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.” continues the post.
Atualmente o Facebook está a notificar todos os utilizadores impactados através de uma notificação enviada para a sua conta da rede social:
“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.” concludes Facebook.
“We will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, hacking, cybersecurity, IoT and security in computer networks. He is also Freelance Writer.
Read more here.