Facebook’s Midnight Deliveries Feature Has A Privacy Flaw That Allows Anyone To View And Delete New Year’s Messages
Facebook launched it’s Midnight Delivery feature last week. This feature allows a user to send messages automatically to their friends at the stroke of midnight on New Year’s. This seems like a convenient feature, but it has a flaw.
According to TheNextWeb.com, Facebook’s New Year’s feature has a privacy flaw that allows anyone to view and delete messages that you send to friends via Midnight Delivery.
This makes the message available to anyone who has the URL syntax.
When a Facebook user successfully submits a message to be sent to their friends, that user will be shown a confirmation screen that displays a URL: http://www.facebookstories.com/midnightdelivery/confirmation?id=XXXXX.
From that URL, anyone curious enough can simply change the ID variable at the end of the web address and view the message that was sent.
The sender isn’t visible when you look at the sent message, but the intended recipient and the contents of the message are shown. The avatar that normally would display the sender’s image would then be replaced by the unexpected viewer’s image.
Along with viewing the messages contents, the flaw also allows the hacker to delete the message if they wanted. If they were to click on the “X” next to the image, it can be removed from the site.
Facebook has yet to comment on the flaw but they do appear to be working on the issue. Right now, if you attempt to view random messages and the service will no longer let you to create messages.
This is not an overwhelming problem, but if users used the Midnight Delivery system to send messages that were not suitable for work before the flaw was noticed … then they may be affected.