Facebook discloses a new leak that exposes group members’ data

Pierluigi Paganini November 06, 2019

Facebook disclosed a new security incident, the social network giant admitted that app developers may have accessed its group users’ data.

Facebook disclosed another security incident, the company revealed that roughly 100 app developers may have improperly accessed users’ data in certain Facebook groups.

Let’s understand how it is possible. The company explained that before April 2018, group admins could authorize an app for a group, this implies that its developers grant access to information in the group. After the changes implemented in the Groups API after April 2018 in response to the Cambridge Analytica privacy scandal, if an admin authorized an app for the group, it would only get information, such as the group’s name, the number of users, and the content of posts. Facebook pointed out that an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.

As part of an ongoing review, Facebook experts discovered that some apps retained access to group member information, including names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. 

“Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time.” reads the blog post published by Facebook. “We know at least 11 partners accessed group members’ information in the last 60 days.”

Applications involved in the latest incident were primarily social media management and video streaming apps that let group manage admins their groups and allows members sharing their videos with other group members.

At the time it is not clear how many users were affected by the incident, Facebook confirmed that it is not aware of any abuse of the group members’ data and that it finally blocked the unauthorized access to the data.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.” continues the post.

In July, Facebook agreed to pay a $5 billion fine as a settlement with the Federal Trade Commission (FTC) over the Cambridge Analytica case.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Facebook, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment