[kkhire]

Can someone clear this up (preferably if you've worked with the FB API):

when NYT published that spotify and netflix have accessed to private messages, isn't that simply for them to do a POST call for sharing a tv show or song?

[ubernostrum]

Facebook appears to have designed their system in such a way that permissions were not granular enough to do things like "Spotify can only post certain types of messages". Instead it had to be "Spotify has full read/write access to all private messages".

Given Facebook's history it's hard to believe that the lack of granularity, and resulting incentivizing of users to grant as much access to personal data as possible, was an accidental oversight.

[bduerst]

Looking at the Spotify sign-in image from 2013 that jahlove found above, Spotify didn't even ask for that auth permission.

The full messaging access seemed to be a hidden bonus for their larger partners.

[compiler-guy]

Seems to me that it was more of a "who cares" oversight than an accidental one.

[chillacy]

This article seems to imply that Spotify ran an entire messenger client within its front end, which does require full read write access, just like your email client requires access to your email right?

It’s more dangerous because Spotify is a website and so could store your messages in theory.