Security flaw may let anyone see your private Facebook new year messages

To usher in the New Year, Facebook recently launched Midnight Deliveries, a feature that allows users to send private messages to their contacts that will be delivered to them at the stroke of midnight. But in a reported security slip-up, it was discovered that with simple manipulation of the URL, private messages could be viewed by anyone on the web.

In a blog post, IT student Jack Jenkins revealed how anyone logged on to Facebook could use simple manipulation techniques to view other users' messages and photos and even delete them. Jenkins wrote that if one changed the numbers in the URL generated after your message is sent out, you can view private messages sent by others with your profile picture next to it, as if you’ve sent it.

Some of these private ‘Midnight Deliveries’ messages even had photographs attached to them. “It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message,” writes Jenkins in his blog.

Gets 'biz'y

Another security flaw haunts Facebook


What's worse, Jenkins realised that if you're able to see messages sent by others, you can delete them too. The IT student experimented by deleting a ‘1-1 message, to minimise disruption’ and documenting it with screenshots.

While it is practically impossible to find a message by a specific user in order to view or manipulate it thanks to the randomly generated string of numbers at the end of the URL, it is still possible to view messages by strangers. The Midnight Deliveries service will in all probability carry only generic wishes and even festive season photographs, but it is a serious slip up on Facebook’s part that allows private messages to become public. Facebook has not  commented on the issue but the Midnight Deliveries site seems to be under maintenance now.

Facebook’s privacy flaws have been in the news since the past week after founder Mark Zuckerberg’s sister Randi found herself embroiled in controversy. The older Zuckerberg sibling was in for a surprise when she found a private picture of hers leaked on Twitter by a subscriber.

Zuckerberg chastised Callie Schweitzer, Vox Media’s Marketing Manager, for invading her privacy. The former marketing head of Facebook soon regained her control and graciously accepted Schweitzer’s apology saying, “I think you saw it [because] you're friends [with] my sister (tagged).Thanks for the apology.” The tweet has since been deleted, but Zuckerberg was clearly sore about the entire incident as she added, “I’m just sensitive to private photos becoming ‘news.’”

Zuckerberg signed off by blaming social networking users for lack of digital etiquette instead of obviously contemplating on what is wrong with the privacy settings of the website younger sibling Mark heads. A Twitter user named Anna (@girlvanized) pointedly told Zuckerberg, “Instead of vilifying a subscriber for not reading your mind, maybe you should talk to your brother about recent FB changes.”

Published Date: Dec 31, 2012 11:53 am | Updated Date: Dec 31, 2012 11:53 am