Facebook Admits Another Developer Privacy Snafu

Written by

Facebook has revealed yet another incident where third-party developers may have been allowed too much access to user data.

In this case, names, profile pictures and other information relating to members of Facebook groups may have been accessed improperly by as many as 100 developer ‘partners’ of the social network.

“We know at least 11 partners accessed group members’ information in the last 60 days,” said Facebook director of developer platforms and programs, Konstantinos Papamiltiadis.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”

The snafu relates to a Groups API that Facebook restricted as part of its efforts in April last year to clamp down on data sharing with third parties, in the wake of the Cambridge Analytica scandal.

“Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group,” said Papamiltiadis.

“As part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.”

Unfortunately, the social network subsequently discovered that some apps/developers retained access to this additional information “for longer than intended.”

These have now been removed as part of Facebook’s efforts to improve transparency and accountability following its record $5bn settlement with the FTC.

In September this year it announced the suspension of tens of thousands of apps from hundreds of developers for potential abuse of policy, such as improperly sharing user data.

What’s hot on Infosecurity Magazine?