Over the weekend, Android Police received a tip about a serious privacy hole in Facebook Pages Manager for Android that made some privately uploaded photos public. Shortly after I made the details of the issue public, Facebook Security got in touch and let us know that its engineers were looking into the report and trying to get a fix up soon.
At 4:19pm PT today, I received a follow-up email from Facebook Security that confirmed a fix had been rolled out server-side, and no app update was necessary. The issue was introduced about a week prior, and the company promised to conduct a thorough internal review to investigate how it could have happened and how it could prevent similar issues in the future.
Additionally, in response to my inquiry regarding removal of all photos that were set public in error, Facebook Security said the engineering team is currently combing through everything and is planning to take them all down once they're positively and definitively identified.
I have verified that the fix is indeed working, so we can now consider this case closed.
For completeness, here is the relevant part of Facebook's response in full:
To update, we had engineers working through most of the night (California time) on this and they deployed a server-side fix within hours of getting the report. This patch stops the problem for anyone using the app without them needing to update. We're currently checking for any photos that were posted due to this bug and plan on taking them down once they're confirmed.
When it comes to the timeframe, this issue was introduced after a server-side change about a week ago. We'll certainly be performing a thorough review to investigate how all of this happened and help ensure that it doesn't happen again.
Thanks for the feedback on the whitehat page; we've worked to raise awareness of it among security researchers, but we'll look at taking more steps to make it easier to find for other users as well. There's some overlap between security and privacy, and while this may not have been a vulnerability for an attacker to exploit, it's certainly the sort of issue we'd want to know about. As the whitehat page indicates, we built it for reporting bugs "that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure".
By the way, if you have any details on what avenues Joann used in trying to notify us of this, I'd definitely like to review those reports to understand why they weren't picked up on sooner. We really appreciate her trying to get this fixed and want to ensure any future reports don't get overlooked or delayed.
Thanks again for the heads-up,