Connect with us

Hi, what are you looking for?



Facebook: Third-Party App Developers Improperly Accessed User Information

Facebook says that 100 third-party application developers continued to access user information via the Groups API even after access to the data was restricted.

Facebook says that 100 third-party application developers continued to access user information via the Groups API even after access to the data was restricted.

The API was designed as an interface between Facebook and software that can be integrated with user groups on the social platform, and it provides app developers with access to a specific set of information on the group and its members.

Following last year’s reveal that Cambridge Analytica obtained data on millions of Facebook users without their consent, Facebook decided to improve the privacy of its users and restricted the information app developers had access to via some APIs, including the Groups API.

Specifically, prior to April 2018, when an app was authorized for a group, the app developer could access information such as the group’s name, number of users, the content of posts, member names, and profile pictures.

Since April 2018, only the group’s name, the number of users, and the content of posts is shared with the software developer via the Groups API. Users, however, can opt-in to share additional information.

According to Facebook, despite the restriction, some applications retained access to group member information like names and profile pictures, via the Groups API, for longer than intended.

The social platform believes that around 100 of its partners may have accessed group member information since the restrictions to the Groups API were announced. Within the last 60 days, at least 11 app developers accessed group members’ information.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted,” Facebook notes.

Advertisement. Scroll to continue reading.

The company says it has already removed the partners’ access to the data but did not provide information on the number of affected users.

These partners, the social platform explains, were primarily social media management and video streaming apps that would help admins manage groups more effectively and help members share videos to their groups.

“We aim to maintain a high standard of security on our platform and to treat our developers fairly. As we’ve said in the past, the new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products,” Facebook notes.

Related: Facebook Agrees to Pay Fine in Cambridge Analytica Scandal

Related: Facebook Sues South Korea Data Analytics Firm

Related: Facebook Suspends ‘Tens of Thousands’ of Apps in Privacy Review

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...