Loading....

Facebook Security Flaw Allows Users to See Private New Year’s Messages

Facebook is offering a service that allows users to send messages to other users, which will be delivered at the stroke of midnight.

Facebook Midnight Delivery

This is part of their Facebook Stories site…

https://www.facebookstories.com/midnightdelivery

The only problem is, it has a little flaw.  As first reported on Jackthewelshman’s blog, anyone can view and even delete other users’ messages.  As you can see in his examples, all it takes is a slight change of the URL and you’re now viewing (or deleting) someone else’s private message.

Not that anyone is using this Midnight Delivery service to send extremely sensitive information, but as Jackthewelshman pointed out private pictures – pictures of people and their kids – were all visible to the public.

This is just the most-basic of issues one has to address when building a web application.  Testing for access to resources without being logged-in, URI manipulation, etc. are all things even a small company has to deal with, let alone Facebook.

For such a high-profile, ‘featured service’ of theirs to have such a glaring flaw, begs the question, what else is being overlooked?

 

I've been helping consignment & resale store-owners since 2003. I started The Computer Peeps in February of 2010. After 15 years of working with consignment stores, I understand the unique challenges consignment & resale storeo-wners face. From electrical issues in old building or strip malls, to advocating for them when their consignment software keeps crashing. I now manage over 400 computer systems, servers & websites for store-owners all across North America and I am the developer/programmer of Peeps' Software -- the only software written FOR consignment & resale stores specifically.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*

Time limit is exhausted. Please reload CAPTCHA.

*

Back To Top