Facebook Security Flaw Allows Users to See Private New Year’s Messages

Facebook is offering a service that allows users to send messages to other users, which will be delivered at the stroke of midnight.

Facebook Midnight Delivery

This is part of their Facebook Stories site…


The only problem is, it has a little flaw.  As first reported on Jackthewelshman’s blog, anyone can view and even delete other users’ messages.  As you can see in his examples, all it takes is a slight change of the URL and you’re now viewing (or deleting) someone else’s private message.

Not that anyone is using this Midnight Delivery service to send extremely sensitive information, but as Jackthewelshman pointed out private pictures – pictures of people and their kids – were all visible to the public.

This is just the most-basic of issues one has to address when building a web application.  Testing for access to resources without being logged-in, URI manipulation, etc. are all things even a small company has to deal with, let alone Facebook.

For such a high-profile, ‘featured service’ of theirs to have such a glaring flaw, begs the question, what else is being overlooked?


I am a consignment software specialist, System Administrator for hundreds of consignment workstations across North America, and developer of Peeps' Software! I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. After 18+ years of working with consignment stores, I understand the unique challenges consignment & resale store-owners face. From electrical issues in old building or strip malls, to advocating for them when their consignment software keeps crashing. I now manage hundreds of computer systems, servers & websites for store-owners all across North America and I am the developer/programmer of Peeps' Software -- the only software written FOR consignment & resale stores specifically.

Leave a Comment

Your email address will not be published. Required fields are marked *


Back To Top