Facebook Midnight Delivery New Year's app hit by serious privacy flaw
Exposed midnight messages to snooping users
Facebook was forced to temporarily disable its Midnight Message service today, after an IT student uncovered a security flaw.
The Midnight Delivery app, which is part of the Facebook Stories site, allows users to send a message to their pals across the globe and have it appear when the clock strikes 12am on January 1.
However, when testing the messaging app, British IT student Jack Jenkins found that he was able to access messages and photos sent by other users, simply by modifying the URL of his own messages.
The new messages displayed his personal profile picture, but the content of the messages, photos from other users, as well as the names of the recipients.
Personal images
Writing on his personal blog, Jenkins said he was able to view an image of a father and son (people that he did not know) and even delete messages that had been sent.
Jenkins, who studies at Aberystwyth University, posted: "It shouldn't be possible to do this, as these are not generic and are people's personal images.
"A very bad part of it all is I think that you can actually delete other people's messages, which I have tested for myself on a single message as I thought that it would say access denied."
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
The flaw did not expose regular Facebook Inbox messages, only those which had been sent through the Midnight Delivery app, but this is still a pretty serious lapse.
The social network said it was "working on a fix," but in the meantime disabled the app to ensure more messages could not be exposed.
It was available for use again as of noon in the UK (7am EST) on New Year's Eve.
Via The Next Web
A technology journalist, writer and videographer of many magazines and websites including T3, Gadget Magazine and TechRadar.com. He specializes in applications for smartphones, tablets and handheld devices, with bylines also at The Guardian, WIRED, Trusted Reviews and Wareable. Chris is also the podcast host for The Liverpool Way. As well as tech and football, Chris is a pop-punk fan and enjoys the art of wrasslin'.