Facebook disclosed a Photo API bug affecting up to 6.8 million users, and the announcement came one day after the company said it paid more than $1.1 million in bug bounties in 2018.
The Facebook API bug was active for 12 days — from Sept. 13th to Sept. 25th — according to the company, and it may have given third-party apps access to more than photos shared in a user’s timeline, which is how the permissions should work.
“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post,” Tomer Bar, engineering director at Facebook, wrote in a blog post. “For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.”
Jarrod Overson, director of engineering at Shape Security, said these features made the Facebook API bug even worse.
“This is an example of how often a company’s push to improve the user experience comes with the sacrifice of security and privacy. In order to present a faster experience to users, Facebook uploads and stores portions of a post even before a user has committed to submitting it,” Overson said. “No user would reasonably expect this data to be stored if they cancel the post and Facebook, by storing more data than is necessary, exposed themselves to higher risk needlessly.”
According to Bar, the Facebook API bug may have affected “up to 1,500 apps build by 876 developers.” Bar added that Facebook will roll out tools next week to help developers determine which users might have been affected by this issue.
The disclosure of this Facebook API bug was posted to Facebook’s developer news blog and not the company’s main Newsroom site.
A Facebook spokesperson said the company found and fixed the bug on Sept. 25th. The company then notified the Irish Data Protection Commission — the GDPR regulators already investigating the Facebook breach that affected 30 million users — about the affected users on Nov. 22nd.
“We notified the Irish Data Protection Commission as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 hour timeframe,” a Facebook spokesperson said. “Part of the reason we have taken a while to let folks know is that we have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug. Once we could establish that, it then took us some time to build a meaningful way to notify people, and get translations done.”
Andrew van der Stock, senior principal consultant at Synopsys, said he wasn’t surprised it took so long to disclose since Facebook likely obtained “significant legal advice prior to notifications to minimize legal exposure, which significantly delays notifications.”
“Delays are almost certainly not an objective of the GDPR legislation, but due to the large penalties involved, it is sadly not surprising. The goals of GDPR are to force accountability for privacy breaches, hopefully minimize the number of breaches, and the amount of time a breach goes on, but in reality the legal, financial, and reputational penalties are so large that firms must be cautious in their approach when responding,” van der Stock said. “It does appear that Facebook fixed the bug quickly, but it is disappointing that it took so long for a breach notification.”
According to multiple experts, this Facebook API bug should have been caught in the design or coding phase.
Mark Weiner, CMO at Balbix, said the Facebook API bug and the two recent Google+ API bugs prove that organizations “do not have adequate visibility into the hundreds of vulnerabilities and other threats facing their networks that could lead to unauthorized exposure of sensitive information.”
“Even when gaps in security are detected, most companies struggle to decide which remediations to prioritize, given limited IT resources and manpower,” Weiner said. “With 2019 around the corner, we will start to see organizations adopt security tools that leverage artificial intelligence and machine learning to continuously monitor for vulnerabilities and attack vectors, and to produce lists of prioritized fixes based on potential business impact.”
Richard Bird, chief customer information officer at Ping Identity, said the Facebook API bug could have been prevented.
“The fundamental issue here is that app/API developers are repeating history, meaning that they are not developing with a security from the start mindset and that APIs are not being fully tested against security related requirements,” Bird said. “Ultimately, the only place that security flaws can be discovered is in production. This breach is just the beginning of a rush to API everything compounded by bad app dev practices.”
Van der Stock said “a simple threat model would have discovered this flaw before any code was written.”
“Alternatively, simply implementing deny by default access control principle would have prevented this flaw. Possibly the developers might have been unaware of this basic principle, as it’s typically not taught in many computer science degrees,” van der Stock said. “Both of these basic activities indicate that developers and security folks must work together during the design and implementation of the API, rather than after it was released.”
Facebook’s bug bounty
The disclosure of the Facebook API bug came just one day after the company announced that in 2018 it had paid more than $1.1 million in bug bounties to researchers in more than 100 countries. The company received around 17,800 reports and issued bounties on 700 of those reports.
The company expanded the scope of its bug bounties to include access token exposure — which was at the heart of the breach affecting 30 million users — as well as covering misuse of data by developers following the Cambridge Analytica scandal.
Overson said there are reasons why the Facebook API bug might not have been caught in the bug bounty.
“Bug bounty programs are a way for a company to publicly state that they would like to have a relationship with public security researchers. They don’t guarantee that all bugs will be found nor do they guarantee that all found bugs will be disclosed,” Overson said. “APIs are regularly included in bug bounty programs but it’s the severity of the issue that dictates the reward. Low-severity bugs often don’t receive rewards and Facebook’s response and delay in disclosure seems to indicate that they did not consider this a severe problem.”