
Facebook says new bug allowed apps access to private photos of up to 6.8M users - chrisseldo
https://www.washingtonpost.com/technology/2018/12/14/facebook-says-new-bug-allowed-apps-access-private-photos-up-million-users/
======
makecheck
I _never_ assume that “settings” guarantee what they claim. It’s just not
practical even with good intentions, for a single non-public code base.

As a developer, I know it is hard to implement something once, harder to
implement consistently across multiple interfaces, and damn near impossible to
keep correct years later after employee turnover and other twists.

The sad thing is that it costs a ton more money to do things really well, and
companies can basically take advantage of the low price of doing things poorly
until finally forced. And by then, they have tons of money so _they_ can
comply but any startup is screwed because now it costs more for everyone, even
those entering the game.

~~~
jdc0589
even moreso when you remember that SO MANY COMPANIES enforce most of their
auth z/n at the edge, and are a lot looser between internal services

------
ucarion
Facebook is a global database of political dissidents, queer persons,
apostates, and other categories of people whose physical safety is put in
peril when their personal lives are leaked.

Facebook _surely_ must be heavily fined and regulated for their misbehavior,
because to fail to keep Facebook data safe is to put lives at risk.

~~~
bad_user
Going to play the devil’s advocate. If you fine Facebook, you have to fine the
small companies too, and even individual developers developing OSS, since the
law should apply to everyone equally. Of course the fines have to be
proportional to the number of affected users.

So would you like a fine for your bugs? And note that contrary to other
professions, software development doesn’t have generally agreed recipes for
building bug-free software, so was that really negligence? Was it malpractice?

Being fined for a contribution to an OSS project would be terrible, wouldn’t
it? And no, the size of the company doesn’t and shouldn’t matter in the eyes
of the law, only the impact.

Also people uploading stuff on the Internet should really expect a best effort
privacy. If you expect secrecy, then uploading shit on a platform meant for
_sharing_ is pretty dumb.

Note that I will blame Facebook for willful privacy violations. And I hope to
see them suffer under GDPR. But a bug doesn’t fall in the same category.

~~~
794CD01
Absolutely. Fine everyone into the ground. Doesn't look like there is any
other way to make people take security seriously.

I'm not a fan of the overregulation of industries like aviation, but consumer
software has gone too far in the other direction and is long overdue for an
adjustment.

~~~
bad_user
Really? How has " _consumer software gone too far in the other direction_ "?

Does it ... kill people? Does it enforce bad policies like the healthcare
industry did for the past couple of decades, causing an epidemic of obesity,
diabetes and heart disease, which are the top causes of death?

Yeah, regulation there definitely helped /s

~~~
bosie
> Does it ... kill people?

Facebook asked users to upload nude photos. what if those get leaked and users
commit suicide because of it? Would you (partially) blame facebook for their
death?

> Does it enforce bad policies like the healthcare industry did for the past
> couple of decades, causing an epidemic of obesity, diabetes and heart
> disease, which are the top causes of death?

Genuine question but what policies are the reasons for the epidemic of the
three death causes you just mentioned?

~~~
bad_user
> " _Would you (partially) blame facebook for their death?_ "

No, because doing nude pictures of yourself and then distributing them, no
matter where, is just stupid. Parents should educate their kids to know
better, or seek counseling if that mistake was made.

You're also talking of a hypothetical situation. When planes crash, people
die, guaranteed. And yearly there are more than 100 plane crashes.

> " _Genuine question but what policies are the reasons for the epidemic of
> the three death causes you just mentioned?_ "

The recommendation for a diet high in sugar, high in wheat and other grains,
high in vegetable oils / polyunsaturated fats (e.g. Omega-6), low in saturated
fat, low in dietary cholesterol, low in salt.

Children were fed in schools, diets were set in hospitals, foods where
preferred in supermarkets according to these guidelines. That's not a debate I
want to get into though.

~~~
mynameisvlad
> You're also talking of a hypothetical situation

Considering this article is about Facebook leaking 6+million photos to third
parties, including photos that were uploaded but never shared, it's well
within the realm of possibility that at least one of those millions of photos
was a nude. In fact, I'd bet there were quite a few nudes in the leaked set.
It only takes one more step to turn that hypothetical of yours into a reality.

------
bluetidepro
> "We're sorry this happened."

That about sums it up for all these privacy breaches these days. It's getting
to the same level of "thoughts and prayers" for tragedies. No actual change or
consequences for the problems happening, just empty "sorries" and "promises"
that it won't happen again/they'll get it fixed. I don't know if this is a
GDPR violation or not (as someone else asked), but if it is, I hope we start
actually seeing action of these sorts of things.

~~~
canttestthis
> I don't know if this is a GDPR violation or not (as someone else asked), but
> if it is, I hope we start actually seeing action of these sorts of things.

Sounds like you're suggesting that we criminalize software bugs.

~~~
bluetidepro
Yes, I am suggesting that. I don't necessarily think jail time is the right
thing, but I do think something like meaningful fines are more than reasonable
for major software bugs that cause these kinds of breaches of privacy. It will
make larger companies like this be much more careful when money is on the
table for them to lose.

To me, if we can criminalize something like a major oil spill such as
BP/Deepwater Horizon, how is this much different? It's not like they did the
oil spill on purpose, but they still need had consequences for those risks
that they were taking. Software companies, esp larger ones like Facebook,
should have the same kind of consequences for their risks of software bugs
that cause these kinds of privacy breaches.

Also, as someone else below pointed out to someone else with a similar tone as
your phrasing of "criminalize software bugs": "intentionally obscuring the
debate. Gross negligence is an entirely different standard than just software
bugs."

~~~
newsopt
Just a quick question, do you write software? Do you have a legal or economic
background? It seems pretty clear to me that anyone suggesting that software
bugs in applications that have no risk of causing physical harm should have
criminal liability has no idea what they are talking about and what damage
such a law would cause.

Case in point look at the quality of medical software today. Hospitals still
use windows xp and other completely insecure and outdated software. Because
absolutely nobody wants to deal with the nightmare that is HIPAA.

~~~
elliekelly
HIPAA only carries criminal penalties when someone _knowingly_ discloses
covered information - not a software bug. Until the bug is identified at
least. For the most part HIPAA is enforced with civil penalties.

And your "nightmare" scenario of (civil) liability flowing from programming
bugs already exists in the investment world and it hasn't come apart at the
seams. Google Axa Rosenberg. A coding error in their trading algorithm went
undiscovered for two years. Negligent for sure, but not why the SEC went after
them. The problem was they didn't promptly disclose the error to investors and
they didn't promptly correct it. Algorithmic trading firms _should_ have
mechanisms to catch errors, correct errors, and disclose those errors to
investors. And after seeing Axa Rosenberg's $250 million fine and Rosenberg's
lifetime ban from the industry guess what they all implemented?

~~~
reaperducer
_HIPAA only carries criminal penalties when someone knowingly discloses
covered information_

This is false.

Source: Works for a company that has mandatory HIPAA training for every
employee every six months.

~~~
jahlove
> This is false.

citation please. Here's mine:

> Criminal penalties

>

> Covered entities and specified individuals, as explained below, who
> "knowingly" obtain or disclose individually identifiable health information,
> in violation of the Administrative Simplification Regulations, face a fine
> of up to $50,000, as well as imprisonment up to 1 year.

>

> Offenses committed under false pretenses allow penalties to be increased to
> a $100,000 fine, with up to 5 years in prison.

>

> Finally, offenses committed with the intent to sell, transfer or use
> individually identifiable health information for commercial advantage,
> personal gain or malicious harm permit fines of $250,000 and imprisonment up
> to 10 years.

Source: American Medical Association

[https://www.ama-assn.org/practice-management/hipaa/hipaa-
vio...](https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-
enforcement)

~~~
reaperducer
My company's lawyers disagree. I'll go with my company's lawyers' judgement
over a group that exists solely to protect the interests of its member
doctors.

~~~
eropple
Are these lawyers _you_ have talked to and gotten meaningful and nuanced
advice from, or are they lawyers _your bosses_ have talked to and derived
maximally avoidant policies from? I'm not saying that you shouldn't have
policies that fit your risk profile, but I ask because I have been in those
former conversations (and I have done a nontrivial amount of
auditing+compliance work in this space) and have never come away with such an
impression, while at the same time the level of perceived risk that your
bosses derive from those conversations can be entirely untethered from the
level of risk that actually exists. (This space is full of people saying "oh,
HIPAA means we can't do that" as shorthand for "I don't want to do that,"
after all.)

~~~
reaperducer
They are lawyers who personally do our training and put together testing
material based on that training.

To me that trumps a non-lawyer’s interpretation of a non-legal web site.

~~~
eropple
If you read the sibling comment where Spooky23 cites the HHS page on HIPAA, it
might be worth ruminating on that versus your interpretation of why your
company's lawyers lay out the training in the way that they do.

That they have a different _company_ risk profile doesn't necessarily change
the facts at hand. And, TBH, they don't have to tell you the truth if it helps
achieve their immediate goals. (They can tell you you'd be personally and
criminally liable. It might make you do what they want better. It might also
not be true.) Or it may all be in good faith. But what you describe doesn't
square with _anything_ I've ever worked with, at multiple clients and
employers.

------
jasonkester
“Private” photos that people uploaded to Facebook.

Sounds like a good time to reiterate the advice: Don’t upload things to the
internet that you don’t want to be on the internet. That way there won’t be
any of your things on the internet that you didn’t want to be there.

~~~
spinach
Except that your friends, family, and others can upload private photos with
you in them.

~~~
jakear
I left FB when they made reverted a policy that let you opt to confirm all
tags before they showed up in searches for you.

This means anyone in the world can upload an image, tag you in it, and it will
show up in searches for you. It still won’t show up on your profile if you
have confirmations for that enabled, but still.

~~~
isostatic
No need to tag, just facial recognition will get you from previous tags and
other metadata

~~~
jakear
Will it show up in searches from just facial recognition? That would be _very
bad_ for anyone trying to live in a way incongruent with their culture’s
standards. (I personally left in solidarity with a Muslim friend who no longer
wears Hijab, but would prefer her family didn’t know that; pictures of her
without Hijab started showing up in searches without her approval suddenly and
without warning when they removed the old “confirm before search results”
option)

------
synthmeat
People here are calling for draconian measures without considering low-hanging
fruits first - why not just require the platform to disclose this within its
primary medium?

Bright big popup right over main facebook.com (and peripheral webs/apps)
dismissable only if you scrolled it all the way down, confirmed to have read
it, saying "private photos of millions of users were leaked" in big bold
letters, would go a long way.

------
newscracker
If there’s one thing that Facebook has been highly successful at, it’s making
people numb and uncaring about any of these “bugs”.

Like the saying goes, “One death is a tragedy; one million is a statistic” —
Facebook has made all its privacy blunders and issues over many years a
statistic...something people may nod their head at, feel bad for a moment and
go back happily to the same company’s platforms.

Unless lawmakers around the world do something, nothing will materially affect
Facebook (the company). Even if they do, I personally have no faith that the
company is capable of changing unless people at the top, like Mark Zuckerberg
and Sheryl Sandberg, are out.

------
imgabe
I think it should be clear to everyone at this point that nothing on Facebook
is private. Don't put anything there you wouldn't post publicly.

~~~
ams6110
Beyond that, nothing online is private. And generally, nothing can be removed.
There will always be bugs, mistakes, new vulnerabilities. Eventually it will
get out.

~~~
lucb1e
Two can keep a secret if one of them is dead, sure. But that doesn't mean you
have to assume that having something on the internet means it's going to leak
all by itself. The advice we _should_ be giving is not putting all of our eggs
in centralized baskets

Especially if we know the baskets have goals not aligned with our own, despite
it being oh-so-convenient, but also not centralized in the first place.

------
rhegart
Remember when Facebook wanted you to upload nudes so they could help keep them
off of Facebook and the internet...yeahhh hopefully no one trusted them with
that. Also are there even any safeguards preventing private photos like these
or even nudes from not being able to be viewed by any admin? I hope there
is...

~~~
randyrand
I assume you’re being sarcastic. that never happened.

~~~
intopieces
[https://www.independent.co.uk/life-style/gadgets-and-
tech/ne...](https://www.independent.co.uk/life-style/gadgets-and-
tech/news/facebook-nude-photos-revenge-porn-upload-pictures-images-
safety-a8365646.html)

------
inetknght
> _The bug also impacted photos that people uploaded to Facebook but chose not
> to post._

What about, for example, pictures sent in a private message?

I'm so very glad I deleted my account months ago.

~~~
perfmode
For pictures present on your phone which Facebook uploaded just in case you’d
want to post them later. To hide latency essentially

~~~
randyrand
Is this true? wtf....

------
tareqak
The Irish Data Protection Commission says that it opened a broad investigation
into Facebook's GDPR compliance in light of numerous data breaches -
[https://www.ft.com/content/d796b5a8-ffc1-11e8-ac00-57a2a8264...](https://www.ft.com/content/d796b5a8-ffc1-11e8-ac00-57a2a826423e)

------
Rjevski
As usual, I'd like to point out how scummy this site really is.

The paywall advertises a "Premium EU Ad-Free Subscription" which is more
expensive than the standard subscription and explicitly states "No on-site
advertising or third-party ad tracking" as one of the perks.

Trying to buy it has the following:

> By subscribing, you agree to the above terms, the Terms of Service, Digital
> Products Terms of Sale & Privacy Policy.

On the privacy policy, we have this:

> hen you use our Services, third parties may collect or receive certain
> information about you and/or your use of the Services (e.g., hashed data,
> click stream information, browser type, time and date, information about
> your interactions with advertisements and other content), including through
> the use of cookies, beacons, mobile ad identifiers, and similar
> technologies, in order to provide content, advertising, or functionality or
> to measure and analyze ad performance, on our Services or other websites or
> platforms. This information may be combined with information collected
> across different websites, online services, and other linked or associated
> devices. These third parties may use your information to improve their own
> services and consistent with their own privacy policies.

There is absolutely no mention of the "Premium" ad-free subscription in the
privacy policy at all, so they are still granting themselves the right to
stalk you all over the place _even_ with the premium, more expensive
subscription.

Not to mention, the privacy policy page itself loads a handful of different
trackers before any kind of consent was even granted. I can see Google
Analytics, something from "c.go-mpulse.net", something else from "bam.nr-
data.net" explicitly sending my user-agent in the URL (why? They'd get it in
the headers anyway), Google News JS, Google Pay and the New Relic JS agent.

My only response to this is a big "fuck you" and this link:
[https://outline.com/zd5du7](https://outline.com/zd5du7) so you can read the
content without any of that garbage and without paying them since they don't
even deserve a single penny.

------
cmurf
I needed to change my phone number for an online account for a major well
known transportation company. The app offers a way to do this, and receive a
text message containing a verification code. Upon receipt the code is
autoentered into the app, but immediately got an error that said I had to open
a support ticket which can only be done with a web browser, not in app.

Customer support by email says I have to provide a copy of my driver's license
or passport to "secure the account". I said that's not reasonable, companies
leak too much personal data so you can't have anymore of mine, I'll just open
a new account. They replied they'd just change the phone number (now no longer
requiring the required photo ID). They did and the end.

\- No explanation why the verification code process would not work.

\- None of my ID's have either my email address, account number, or phone
number, and the account doesn't even have my name on it. Giving them photo ID
does jack shit for the purpose claimed.

\- If the account security is questionable, you should not only require text
verification of the new phone number, but they should have removed my stored
payment accounts, requiring me to reenter them. AFAIK the credit card
verification requires CVV and phone number matching the credit card account.
That seems like the right way to secure the account rather than bullshit photo
IDs.

------
cody3222
Didn't they just launch a feature earlier this year telling people to upload
their nudes so they could better detect when an ex miss-used them?

[https://www.theguardian.com/technology/2017/nov/07/facebook-...](https://www.theguardian.com/technology/2017/nov/07/facebook-
revenge-porn-nude-photos)

------
graeme
On this topic, does anyone know if photo access granted to facebook apps on
ios means facebook will upload all photos in the background?

Have never seen an analysis of it.

~~~
aylmao
I'd hope this is one of the things Apple audits against in their app review
process.

------
saulrh
It's too much to hope that Facebook takes a hint from Google and shuts down
its social network to preserve user privacy, right?

~~~
aylmao
Google didn't shut down Google+ to preserve user privacy. Not sure if that's
what you're implying with your comment-- I hope it's not.

~~~
dragonwriter
> Google didn't shut down Google+ to preserve user privacy

They accelerated the planned shutdown for exactly that reason.

~~~
rohan1024
They did that because cost of maintaining platform was higher than its ROI. If
Google+ had like 300M-400M monthly active users I don't think they would have
shut down Google+

~~~
digianarchist
The ROI on Google+ has been negative since before it launched.

~~~
aylmao
Investments tend to take a while to return-- this one didn't pay off though.

------
bob_theslob646
How come Google never has had a breach? Do they do a better job with security?
Is Facebook more of a target than Google?

~~~
tqi
[https://www.theverge.com/2018/10/8/17951914/google-plus-
data...](https://www.theverge.com/2018/10/8/17951914/google-plus-data-breach-
exposed-user-profile-information-privacy-not-disclosed)

[https://www.theverge.com/2018/12/10/18134541/google-plus-
pri...](https://www.theverge.com/2018/12/10/18134541/google-plus-privacy-api-
data-leak-developers)

~~~
Ivoirians
Technically, these aren't breaches or leaks, they're vulnerabilities.

Whether you believe data was exfiltrated is essentially a reflection of how
much you trust or distrust Google.

------
chrisseldo
Facebook's release:
[https://developers.facebook.com/blog/post/2018/12/14/notifyi...](https://developers.facebook.com/blog/post/2018/12/14/notifying-
our-developer-ecosystem-about-a-photo-api-bug/)

~~~
vuln
[https://outline.com/nsaNJ4](https://outline.com/nsaNJ4)

------
foobaw
Where are the technical details on what the bug was and how it was possible?
Shouldn't this be disclosed?

~~~
d4l3k
Seems pretty clear
[https://developers.facebook.com/blog/post/2018/12/14/notifyi...](https://developers.facebook.com/blog/post/2018/12/14/notifying-
our-developer-ecosystem-about-a-photo-api-bug/)

------
addicted
I’ll be interested in seeing what the number of affected users actually ends
up being. As John Gruber at Daring Fireball has pointed out, Facebook has a
rich history of giving initial numbers which tend to grow by orders of
magnitudes over the coming weeks.

------
connorgutman
Someone needs to go Mr. Robot and 5/9 Facebook's servers. This is getting
ridiculous.

------
Jaruzel
As IT people, we owe it to our families to offer to self-host their social
data on one of the many open-source platforms that are available.

Maybe spend some time over the Xmas period having 'The Conversation' with our
loved ones about their data safety?

~~~
treve
Why do you think that self-hosting is safer?

------
polskibus
Does it fall under GDPR violation?

~~~
megous
No. Unless they didn't report it to the regulators.

~~~
nneonneo
Article 34 clearly states that the breached organization must inform the data
subject "without undue delay". Given that the event occurred in September, and
it is now December, I would characterize that as an undue delay.

There should be GDPR consequences of this - it's time that law got properly
put to the test.

~~~
jsnell
I'd imagine what matters is the delay from when you learn about the issue, not
the delay from when it happened. This blog post looks a lot more like
something they discovered now than something they discovered in September.
(E.g. the way they'll have "tools for figuring out who was affected next
week").

------
spiderPig
Turns out solving 3000 Leetcode questions doesn't teach you now to do security
right

------
ben174
Unrelated, but I'd love to know how that article managed to get a picture of
that Facebook sign without people standing in front of it. I drive by it daily
and I've _never_ seen it without people posing in front of it :)

~~~
techsin101
If you take multiple pictures then run algorithm that only keeps mode ( most
occurring ) pixels then stationary object will stay and moving people or
objects will disappear. Photoshop has this function. Tutorials on YouTube.

------
sakisv
At which point should we stop treating these things as bugs and start treating
them like features instead?

Not this particular thing per se but, you know, it's Facebook. As the recent
history has proven these things kind of come with the package.

------
Oras
Since Facebook is walking away all the time without any consequences, this
will happen again and again.

The long-term solution to this mess should come from users abandoning it which
is happening gradually based on recent reports.

~~~
jamesrcole
> _The long-term solution to this mess should come from users abandoning it_

Where will the people go? If it's other software it might end being as bad or
worse.

~~~
Oras
What’s the value of Facebook? Serious question as you think people _should_
have alternative

~~~
jamesrcole
I didn't say an alternative that is like Facebook.

People want to communicate with others. If they use software for that then....
my original question applies.

And you've avoided answering that question.

------
snovv_crash
The more leaks there are, the more I feel that the mindset will shift from
user data being an asset to a liability.

------
sammycdubs
That privacy popup in NY really worked!

------
annadane
I mean, it's a bug. Happens to everyone. Criticize them for the things they
should be but don't make a case out of everything.

------
Mc_Big_G
Why is anyone still using FB/Whatsapp/Instagram? It seems the vast majority
just don't care at all about privacy.

~~~
dqhAR
Too big to avoid.

Data leaks happen to every tech company. As users/customers, won't have
knowledge of the leaks unless they are publicly reported.

How can you "socialize" these days without using at least one of these
internet social/media platforms?

Ways to avoid givin them your data are either to be totally reclusive or to be
a tech geek who relies only on niche tech products that aren't mainstream.

What if they are used as highly valuable networking platforms for your job?
Some people live off some kind of business model taking advantage of the
sites. Also they work hard at maintaining their audience captivated and
engaged.

------
keyboardmowing
Wasn’t there a point in time that fb wanted users to submit their nude photos
so that they could better detect fake profiles ? Lol

------
jhowell
Not very good at the data security thing. In other industries such as health
care, there are tables that define fines and penalties. Maybe the same is
needed here.

------
yumraj
Most of the comments below are echoing the statement "jail time for bugs!!!!!"
and similar sentiments, and therein lies the problem.

"bugs" is a catch all word, it covers everything from a pesky typo in UI to
bugs like this, severe security issues, meltdown/spectre, VW bugs, and so and
so forth.

Of course no jail time for a typo, but why not a jail time or severe financial
and career consequences for severe bugs especially when it can be shown that a
bug was caused due to intentional decisions, malicious intents, sloppy
testing, rushed product etc. and not due to genuine mistakes - similar to
medical malpractices.

Of course lawyers will love it, but it can improve the overall situation.

And yes, I'm a software engineers and do know what I'm talking about.

~~~
walrus1066
Who would be held responsible? Coder? QA? Code reviewer? PM? person putting
pressure on PM?

~~~
yumraj
Depends...

If malicious intent, most likely the business owners, PM or engineering
management, but in some cases software engineers.

If due to rushed product, certainly the management and not software engineers
or QA.

and so on..

It depends..

