Facebook forced to drop flawed New Year feature
A blogger noticed a simple tweak of the URL allowed users to access messages written by total strangers.
London: Nearly a week after Facebook launched its New Year's messaging feature, the social networking site was on Monday forced to drop the app following a flaw that allowed anyone to see and even delete personal messages intended for others. The popular website had last week launched its Midnight Message Delivery feature to allow users to send New Year's messages to friends that automatically arrive on the stroke of midnight.
However, one student blogger noticed that a simple tweak of the URL at the top of the page allows users to access messages written by total strangers - and even delete them, the British newspaper Daily Mail reported. Jack Jenkins, a Aberystwyth University student, found the privacy flaw on Facebook's Midnight Message Delivery features on his blog early this morning.
"Facebook have not been very security conscious when setting this up," he wrote. A Facebook spokeswoman confirmed that it is aware of the issue and working on a fix. "We are working on a fix for this issue now," she said.
"In the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed," she added. By experimenting with the flaw, Jenkins said he was even able to see pictures sent by people.
"By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. It is you may say a pretty harmless flaw, as they tend to be generic messages and you can't see who sent them (it shows your profile pic next to the message, as if you've sent it)," he said. "However you can see the names of the recipients of the message," he said.