Facebook Squashes Bug That Made Privately Uploaded Photos Via Android Page Manager Public

By David Cohen 

Facebook Security fixed a bug over the weekend that affected its Pages Manager application for Android, making privately uploaded photos visible by the public.

Android Police reported on the bug and Facebook’s subsequent fix, saying that Facebook Security responded quickly to its report, and its fix was successful. Facebook emailed Android Police:

To update, we had engineers working through most of the night (California time) on this, and they deployed a server-side fix within hours of getting the report. This patch stops the problem for anyone using the app without them needing to update. We’re currently checking for any photos that were posted due to this bug and plan on taking them down once they’re confirmed.

When it comes to the time frame, this issue was introduced after a server-side change about a week ago. We’ll certainly be performing a thorough review to investigate how all of this happened and help ensure that it doesn’t happen again.

Thanks for the feedback on the white hat page; we’ve worked to raise awareness of it among security researchers, but we’ll look at taking more steps to make it easier to find for other users, as well. There’s some overlap between security and privacy, and while this may not have been a vulnerability for an attacker to exploit, it’s certainly the sort of issue we’d want to know about. As the white hat page indicates, we built it for reporting bugs “that could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure.”

Readers: Are you surprised Facebook was able to react so quickly and remedy the issue?

Image courtesy of Shutterstock.