Facebook privacy misconfiguration allowed user data to be shared to 5000 Apps and developers even after they were blocked
In 2018, when the Cambridge Analytica scandal broke out, it was found that Facebook shared confidential information with Apps connected with Cambridge Analytica. After a furious public outrage, Facebook started tightening screws over its user’s data being shared with any App. However, a privacy setting misconfiguration may have exposed data of millions of Facebook users to some 5000 Apps.
Facebook said that it has discovered back-end privacy issue which led to thousands of apps continued to receive users’ personal information even after access should have automatically expired. After the Cambridge Analytica scandal, Facebook had set an expiration date of 90 days after which Apps and developers would no longer receive the data if they were inactive. However, a misconfiguration in the backend privacy settings continued to leak Facebook users’ confidential data even after the expiration period.
This was announced today by Facebook’s vice-president of platform partnerships, Konstantinos Papamiltiadis. Papamiltiadis said in a blog post that Facebook recently discovered that some apps continued to receive previously authorized user data, even though they hadn’t used the app in 90+ days. Facebook has identified 5000 such Apps and developers who continued receiving the Facebook users data due to the privacy snafu.
From the last several months of data we have available, we currently estimate this issue enabled approximately 5000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems.
Papamiltiadis explained that after the Cambridge Analytica scandal, Facebook introduced certain changes in the way Apps could access the user data. “In 2018, we announced that we would automatically expire an app’s ability to receive any updates to this information if our systems didn’t recognize a person as having used the app within the last 90 days.”
However, Facebook detected that the settings did not work and the privacy bug kept exposing data to nearly 5000 Apps and developers. “From the last several months of data we have available, we currently estimate this issue enabled approximately 5000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems,” Papamiltiadis added.
He said that Facebook didn’t find any App using the data for nefarious purposes as of yet. “We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”
The issue was detected and fixed in a day. Now Apps that are inactive for 90 days will not receive any Facebook user data.