27
May
icon

Over the weekend, Android Police received a tip about a serious privacy hole in Facebook Pages Manager for Android that made some privately uploaded photos public. Shortly after I made the details of the issue public, Facebook Security got in touch and let us know that its engineers were looking into the report and trying to get a fix up soon.

image

At 4:19pm PT today, I received a follow-up email from Facebook Security that confirmed a fix had been rolled out server-side, and no app update was necessary. The issue was introduced about a week prior, and the company promised to conduct a thorough internal review to investigate how it could have happened and how it could prevent similar issues in the future.

Additionally, in response to my inquiry regarding removal of all photos that were set public in error, Facebook Security said the engineering team is currently combing through everything and is planning to take them all down once they're positively and definitively identified.

I have verified that the fix is indeed working, so we can now consider this case closed.

For completeness, here is the relevant part of Facebook's response in full:

Hi Artem,

To update, we had engineers working through most of the night (California time) on this and they deployed a server-side fix within hours of getting the report. This patch stops the problem for anyone using the app without them needing to update. We're currently checking for any photos that were posted due to this bug and plan on taking them down once they're confirmed.

When it comes to the timeframe, this issue was introduced after a server-side change about a week ago. We'll certainly be performing a thorough review to investigate how all of this happened and help ensure that it doesn't happen again.

Thanks for the feedback on the whitehat page; we've worked to raise awareness of it among security researchers, but we'll look at taking more steps to make it easier to find for other users as well. There's some overlap between security and privacy, and while this may not have been a vulnerability for an attacker to exploit, it's certainly the sort of issue we'd want to know about. As the whitehat page indicates, we built it for reporting bugs "that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure".

By the way, if you have any details on what avenues Joann used in trying to notify us of this, I'd definitely like to review those reports to understand why they weren't picked up on sooner. We really appreciate her trying to get this fixed and want to ensure any future reports don't get overlooked or delayed.

Thanks again for the heads-up,

Rory
Security
Facebook

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • scuttlefield

    Wow. That was suprisingly fast for Facebook. I guess they fix problems for customers quicker that that do problems for users...althought this was a VERY serious flaw.

    • Rushabh Vora

      My guess is, the full disclosure of the bug by AndroidPolice spurred Facebook to fix this as soon as possible.

    • http://www.androidpolice.com/ Artem Russakovskii

      Facebook does treat privacy and security issues seriously and even has a bounty program (that I wasn't aware of): https://www.facebook.com/whitehat. Because the bounty program requires responsible disclosure instead of full disclosure (understandably so), they can spend a bit extra time tracking things down and fixing them, though you wouldn't know because bugs wouldn't be public.

      Of course, part of why I went with full disclosure is it tends to light a proper fire under the right butts. The effectiveness is evident by the speedy response, especially considering it's Memorial Day weekend.

    • Abhisshack

      No They pix the problem because of this blog post , to save themselves from more PR disaster

    • Guest

      If yοս tհiոk K℮ոո℮tհ`ѕ ѕtοry iѕ аѕtοոiѕհiոg,, lаѕt mοոtհ my brοtհ℮r iո-lаw bаѕicаlly аlѕο r℮ci℮v℮d а cհ℮ck fοr $8294 ѕittiոg tհ℮r℮ ℮l℮v℮ո հοսrѕ а w℮℮k frοm tհ℮ir аpаrtm℮ոt аոd tհ℮y'r℮ fri℮ոd'ѕ ѕiѕt℮r`ѕ ո℮igհbοսr dοո℮ tհiѕ fοr 7-mοոtհѕ аոd brοսgհt հοm℮ οv℮r $8294 pаrt tim℮ οո tհ℮r℮ cοmpսt℮r. սѕ℮ tհ℮ iոfοrmаtiοո frοm tհiѕ ѕit℮.

    • jamheart

      If yοս tհiոk K℮ոո℮tհ`ѕ ѕtοry iѕ аѕtοոiѕհiոg,, lаѕt mοոtհ my brοtհ℮r iո-lаw bаѕicаlly аlѕο r℮ci℮v℮d а cհ℮ck fοr $8294 ѕittiոg tհ℮r℮ ℮l℮v℮ո հοսrѕ а w℮℮k frοm tհ℮ir аpаrtm℮ոt аոd tհ℮y'r℮ fri℮ոd'ѕ ѕiѕt℮r`ѕ ո℮igհbοսr dοո℮ tհiѕ fοr 7-mοոtհѕ аոd brοսgհt հοm℮ οv℮r $8294 pаrt tim℮ οո tհ℮r℮ cοmpսt℮r. սѕ℮ tհ℮ iոfοrmаtiοո frοm tհiѕ ѕit℮. ..up444.com

  • http://www.bordersweather.co.uk/ Andy J

    Yes.... it would be one thing for this to be affecting normal users - Facebook would as they have a good record of doing - drag their feet for several weeks before announcing a fix (and putting a positive spin on the situation) - however when it affects Pages - that means it affects businesses - and businesses spend money on advertising - upset the businesses and you lose the advertising revenue. Or put another way - if was just affecting normal users - they would not have been working through the night to fix the problem...

  • http://www.friv4game.net/ Friv 4

    I usually use facebook every day and I find it indispensable in life, I love my friends on it

    • Disqus Sucks

      Your Facebook "friends" don't give a crap about you. Go live life.

  • Mandeep Singh

    I just wanna know when will bug regarding insights be solved ????

  • Could be Anyone

    It was only fixed quickly because sites like android police reported so it's obvious that it will be fixed quickly otherwise their reputation would suffer, most of the time Facebook wouldn't care about people's privacy in the first place.