Facebook is offering a service that allows users to send messages to other users, which will be delivered at the stroke of midnight.
This is part of their Facebook Stories site…
The only problem is, it has a little flaw. As first reported on Jackthewelshman’s blog, anyone can view and even delete other users’ messages. As you can see in his examples, all it takes is a slight change of the URL and you’re now viewing (or deleting) someone else’s private message.
Not that anyone is using this Midnight Delivery service to send extremely sensitive information, but as Jackthewelshman pointed out private pictures – pictures of people and their kids – were all visible to the public.
This is just the most-basic of issues one has to address when building a web application. Testing for access to resources without being logged-in, URI manipulation, etc. are all things even a small company has to deal with, let alone Facebook.
For such a high-profile, ‘featured service’ of theirs to have such a glaring flaw, begs the question, what else is being overlooked?