Facebook Security Flaw Allows Users to See Private New Year’s Messages

Facebook is offering a service that allows users to send messages to other users, which will be delivered at the stroke of midnight.

Facebook Midnight Delivery

This is part of their Facebook Stories site…


The only problem is, it has a little flaw.  As first reported on Jackthewelshman’s blog, anyone can view and even delete other users’ messages.  As you can see in his examples, all it takes is a slight change of the URL and you’re now viewing (or deleting) someone else’s private message.

Not that anyone is using this Midnight Delivery service to send extremely sensitive information, but as Jackthewelshman pointed out private pictures – pictures of people and their kids – were all visible to the public.

This is just the most-basic of issues one has to address when building a web application.  Testing for access to resources without being logged-in, URI manipulation, etc. are all things even a small company has to deal with, let alone Facebook.

For such a high-profile, ‘featured service’ of theirs to have such a glaring flaw, begs the question, what else is being overlooked?


I am a Software Developer, System Administrator, and consignment software specialist. I currently manage hundreds of consignment workstations, point of sale systems, and database servers all across North America and I am the developer of Peeps' Software, Peeps2Go, and Peeps' Consignor Login for iOS and Android. I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. Peeps' Software launched in 2016 and is now on hundreds of systems all across North America. I have successfully converted dozens of stores from all of the major consignment software systems. After 20 years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old buildings or strip malls, to advocating for them when their old consignment software keeps crashing.

Leave a Comment

Your email address will not be published. Required fields are marked *


Back To Top