Facebook Security Flaw Allows Users to See Private New Year’s Messages

Facebook is offering a service that allows users to send messages to other users, which will be delivered at the stroke of midnight.

Facebook Midnight Delivery

This is part of their Facebook Stories site…


The only problem is, it has a little flaw.  As first reported on Jackthewelshman’s blog, anyone can view and even delete other users’ messages.  As you can see in his examples, all it takes is a slight change of the URL and you’re now viewing (or deleting) someone else’s private message.

Not that anyone is using this Midnight Delivery service to send extremely sensitive information, but as Jackthewelshman pointed out private pictures – pictures of people and their kids – were all visible to the public.

This is just the most-basic of issues one has to address when building a web application.  Testing for access to resources without being logged-in, URI manipulation, etc. are all things even a small company has to deal with, let alone Facebook.

For such a high-profile, ‘featured service’ of theirs to have such a glaring flaw, begs the question, what else is being overlooked?


Yet Another Internet Explorer Zero-Day Exploit

IE Zero Day

There is an un-patched vulnerability that affects Internet Explorer versions 8 and above.  This is being actively exploited in the wild and attackers are using it to ‘snoop’ through users’ systems.

This is just another of multiple zero-day exploits in Internet Explorer.

We recommend switching to Firefox (or Chrome) and removing all shortcuts to Internet Explorer.  Educate employees so they know it simply isn’t safe to use Internet Explorer.

Malwarebytes Update, New Look


This week, Malwarebytes released v1.70 which brings with it a slightly updated look.  The interface and program are still the same, but they’ve implemented their new logo/color palette throughout the application.



Malwarebytes' Anti-Malware Pro (Old Icon)
Malwarebytes’ Anti-Malware Pro (Old Icon)



Malwarebytes' Anti-Malware Pro (New Icon)
Malwarebytes’ Anti-Malware Pro (New Icon)

We just wanted to point this out so everyone running Malwarbytes’ Anti-Malware Pro knows MBAM is still running and protecting your system; it’s just no longer using the traditional red ‘M’ icon.

Google Calendar Now Includes A Free Online Appointment Scheduler

Consignment stores, are you looking for a way to let your consignors book a consignment appointment online?  Google recently added an Appointments feature to Google Calendar.  When you go to create a new Event, you will now see an Appointment slots option:

New Consignment Appointment
New Consignment Appointment

You can then publish this calendar online for free and consignors can schedule appointments online:

Online Consignment Appointments
Online Consignment Appointments | Click to Enlarge

You can block-out appointment times and specify the length of each consignment appointment:

Consignment Appointment Blocks
Consignment Appointment Blocks | Click to Enlarge

Once the appointment has been booked, the appointment time shows as booked online…

Booked Consignment Appointment
Booked Consignment Appointment | Click to Enlarge

If you have a website, you can easily embed this calendar into a web page, or, just post a link to it on your Facebook page.

Google’s Appointment Scheduler offers consignment stores the following features:


  • Set specific time frames when consignment appointments are available.
  • Publish your calendar online for free, so consignors can schedule appointments online.
  • Set specific days and times when consignments are accepted.
  • Receive a notification when a consignor books an appointment.


Your consignors will have to have a Gmail account, which is free and many already utilize Gmail.

Edit [12/4/2012 @ 2:19PM]: Added additional screenshots.

Back To Top