Facebook had offered a new feature for New Year’s Eve that allowed users to deliver Midnight Messages to their friends at the stroke of 12.
Facebook users could wish any of their Facebook friends a Happy New Year at midnight in a personal message. The message would appear in their inbox at midnight January 1, at 12:00 am. You could even add a photo to the message. Thus allowing Facebook users to party hard on New Year’s Eve at the same time helping them to wish their loved ones on the new year’s eve in their local timezone.
The automated Facebook message delivery during holidays is an attempt by Facebook to test its new features to see if users are taking an advantage of the feature, or is getting too cluttered and spammy.
However, before the feature could be actually tested, there have been reported security flaws in it. An IT student Jack Jenkins has mentioned in a blog post that he realized users are able to view other people’s messages and photos, and even delete them.
By simple manipulation of the ID at the end of the URL of a sent message on the Facebook Stories site, you are able to view other peoples Happy New Year messages. These messages appear to have rather public confirmation pages making them available to anyone who has the URL syntax.
Although the messages tend to be generic and you can’t see who sent them, it is still a serious security flaw that cannot be overlooked. The message only shows your profile pic next to the message, as if you’ve sent it but you can see the names of the recipients in the message.
Jack Jenkins has mentioned in his blog,
Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo, another was a personally written message with a photo such as this:
The worst part is that you can actually Delete other people’s messages.
However, Facebook appears to have taken the site offline to make some updates. When you go to the site, it displays a message saying “This site is currently undergoing some maintenance.”
In addition, Facebook spokesperson tells The Verge that
“We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed.”
Such huge security flaws by the social networking giant cannot be overlooked.