Facebook left red faced over messages blunder
One is the world’s biggest social networking site with more than one billion users. The other is a university student in Aberystweyth, Wales.
But it took student Jack Jenkins to point out to Facebook that the privacy settings on its special New Year messages facility were flawed, allowing total strangers to view, read, and even delete, messages sent between friends.
Facebook’s New Year’s Midnight Delivery feature was set up on Facebook Stories to let users write messages to friends which would then be automatically sent after midnight. It was designed to allow those busy bringing in the New Year to tee up posts so that they wouldn’t forget the rest of their friends or family.
In his blog, Jenkins said: “Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.
“Facebook, however, have not been very security conscious when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other people’s Happy New Year messages. At least I was when I edited the ID for myself.”
Jenkins said that by simply manipulating the ID number up or down a few digits you could view messages meant for others. He described it as “a pretty harmless flaw,” but said that you could see recipients’ names and even photographs, such as one message he viewed, which included an image of a father and their child.
But he added: “A very bad part of it all is I think that you can actually delete other people’s messages, which I have tested for myself on a single message as I thought that it would say ‘access denied’.
Jenkins said while Facebook hadn’t contacted him personally about the bug, the site was down for maintenance after he contacted administrators to alert them and, when he checked later the same day, it had been fixed.
A Facebook spokesperson said while its Stories site had to be taken offline for a time to rectify the issue, it was quickly up and running again. Facebook Stories is a separate site to the main Facebook site, so didn’t affect messaging on Facebook itself, with many people simple choosing to message their friends on the main site.
The error came the same month that a photograph posted by Mark Zuckerberg’s siter Randi led to her complaining that her privacy had been breached. Although, in that case, it was because a marketing director had tweeted the candid family snap that Randi had first shared on her private Facebook page.
Given that Facebook’s beginnings were fairly humble – it was, after all, founded by Mark Zuckerberg while he was still a student, along with fellow Harvard alumni Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes – we’re sure the site didn’t mind the fact it was a student pointing out its error. And, with Facebook quickly rectifying its problem, thousands of people were able to arrange New Year rendezvous and post messages to wish their nearest and dearest a happy and healthy 2013.