Application Security & Online Fraud , Governance & Risk Management , Next-Generation Technologies & Secure Development
Facebook: Developers Wrongfully Accessed User Data - AgainCompany Acknowledges 100 Third-Party Developers Had Unauthorized Access
Facebook has revealed that, once again, it allowed third-party app developers to wrongfully gain access to its customers' private data.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In blog post, Konstantinos Papamiltiadis, Facebook's director of developer platforms and programs, noted that the company changed access for about 100 third-party developers after the problem was discovered. The wrongful access included certain APIs, including the social media platform's Groups feature, according to the post.
"We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended," Papamiltiadis says. The discovery was part of an ongoing review of third-party app developers who use the platform.
Of the 100 third-party developers who were flagged by internal staff, Papamiltiadis notes that 11 accessed Group members' personal data over the last 60 days.
"Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted," he says.
This latest incident comes after the U.S. Justice Department and the Federal Trade Commission fined Facebook $5 billion in July for violating users' privacy related to the Cambridge Analytica scandal, which involved third parties accessing data without consent (see: It's Official: FTC Fines Facebook $5 Billion).
In the blog post, Papamiltiadis did not release the name of the apps involved, but he noted that they were related to either social media management or video streaming.
"For example, if a business managed a large community consisting of many members across multiple groups, they could use a social media management app to provide customer service, including customized responses, at scale," Papamiltiadis says.
And while access to this customer data helped the developers refine their applications, Papamiltiadis notes that Facebook decided to remove that access.
One reason for this is that after April 2018, when the Cambridge Analytica issue came to light, Facebook changed the way third-party developers can access APIs within the platform. As part of those changes, Facebook limited the information that those APIs could collect, and users would have to opt-in to provide additional data, such as names and profile pictures, Papamiltiadis notes.
But Facebook found during its latest investigation that those safeguards were not working as expected, Papamiltiadis says. "As we continue to work through this process we expect to find more examples of where we can improve," he adds.
Throwback to Cambridge Analytica
In the Cambridge Analytica scandal, Facebook allowed a third-party developer to collect data not only from people who interacted with an application called "This is Your Digital Life," but also from users who didn't sign up to use this application or give their permission.
The result was that now-defunct political consulting firm managed to gather information on 87 million people.
As part of its settlement with the Federal Trade Commission, Facebook agreed to put in new privacy controls to keep users' data more private and out of the hands of third parties who develop application for the social media platform.
In September, Facebook suspended several thousand applications from its platform, some of which were improperly accessing users' private data without consent.
In many cases, companies develop APIs for developers to drive revenue or increase profits, but many times basic security measures are not put in place to secure customer data, says Joseph Carson, chief security scientist at Thycotic.
Facebook took corrective measures when it discovered the unauthorized access, he notes. "In some instances, when security is more difficult, companies have to change the way the API works or revoke the access to the API altogether, which is what Facebook has done in this latest privacy failure."