Facebook “Midnight Delivery” security flaw

Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.

StoriesFacebook however have not been very security consious when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself.

For example. I made this test one which you should be able to see saying “TEST TEST TEST TEST”:

Story2If you manipulate the ID (http://www.facebookstories.com/midnightdelivery/confirmation?id=76188), you can view other people’s messages, just change the ID number up or down a few.

It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message.

Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo, another was a personally written message with a photo such as this:

FBStory5I don’t know who these people are, but you can see it puts my profile pic next to it, as if I have sent the message. It shouldn’t be possible to do this, as these are not generic and are people’s personal images.

A very bad part of it all is I think that you can actually DELETE other people’s messages, which I have tested for myself on a single message as I thought that it would say access denied

Screenshot 1 shows a greeting written by someone: FBStory3

Screenshot 2 shows the greeting page after I clicked to delete it:

FBStory4

After I action the deletion, this URL is no longer reachable. Which may mean that I have deleted their message
Screenshot 3 is just an example of a mass message I came across:

FBStory2

I just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks. PLEASE Don’t go deleting random messages, but try and delete one of mine that I set up especially if you want :). And share this message with someone else who may be interested:
http://www.facebookstories.com/midnightdelivery/confirmation?id=76746
http://www.facebookstories.com/midnightdelivery/confirmation?id=76742

Jack. Tweet me here: https://twitter.com/Jackthewelshman

UPDATE 31/12/2012 05:25GMT – the site is currently down for maintenance, I sent it to Facebook too so I think they are working on it

UPDATE 31/12/2012 14:00GMT – Facebook still haven’t got back to me personally with  any response. This is the reason that I contacted The Verge, to actually get some action taken

UPDATE 31/12/2012 14:35GMT – I have just checked, the bug / oversight has now been fixed. You can no longer access other people’s messages by changing the confirmation message ID

UPDATE 01/01/2013 16:49GMT – Facebook still haven’t responded to the two messages that I sent regarding this bug (This is still correct 03/01/2013 23:05GMT – I guess that I’ll never get a response now)

About these ads

44 thoughts on “Facebook “Midnight Delivery” security flaw

  1. Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos » tymbndr.com

  2. Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos | Latestwire

  3. Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos | Wikisis

  4. Pingback: Watch Out: Your New Year’s Midnight Delivery Messages On Facebook Aren’t Private | Gizmodo Australia

  5. Pingback: Facebook yılbaşına özel mesaj platformunu güvenlik açığı nedeniyle bakıma aldı

  6. Pingback: Facebook stops New Year message tool | Social Network Tips

  7. Pingback: DD Tech Solutions - Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole

  8. Pingback: Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole | Wikisis

  9. Pingback: Facebook stops New Year message tool | Build Own Social Network Website

  10. Pingback: Facebook stops New Year message tool | IT Support London | SupportWizard.net

  11. Pingback: Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole | PJExploration

  12. Pingback: Facebook disables New Year’s messaging tool after private messages revealed | Latestwire

  13. Pingback: Facebook stops New Year message tool | Social Web Guide

  14. Pingback: Watch Out: Your New Year’s Midnight Delivery Messages on Facebook Aren’t Private | Backup Rss

  15. Pingback: Watch Out: Your New Year’s Midnight Delivery Messages on Facebook Aren’t Private (Updated) | Backup Rss

  16. Pingback: Facebook stops New Year message tool — news community information events reviews business in Narberth Pembrokeshire Wales

  17. Pingback: » Facebook Temporarily Disables New Year’s Messages After Privacy Snafu - Dynam Host ICT Solution

  18. Should have reported it to Facebook. There was an account on Hacker News of how Facebook gave some bloke 3,500 dollars for reporting a similar bug.

    • I reported it to Facebook. They still haven’t replied to me, it’s quite disappointing really. This is why I had to go to the press instead, to actually get this bug fixed.

  19. It’s great that you found this issue. And it’s pretty lame for facebook, or the third party that wrote the app, to miss this. However as a general security/privacy reporting etiquette you should not have made this public so soon. Imagine if all the white hats out there make every mac, windows, ios or android vulnerability as easily accessible and exploitable before the respective parties get a chance to evaluate and rollout a patch?
    I realize you did not have bad intentions, but as someone said..with great power comes great responsibility. Keep up the good work, and please be more responsible and nuanced reporting security issues going forward.

  20. Pingback: Facebook flubs security of 'Midnight Delivery' New Years messaging app | Digital Trends

  21. Pingback: Facebook revives NYE message service after security fix | Partners In Sublime

  22. Pingback: Facebook revives NYE message service after security fix | Tech TV

  23. how can i site like FB do this? aren’t these the highest paid/best programmers? seems like such an amateur mistake
    p.s. timeline sucks too and that’s why FB users are in decline. Fire Sheryl Sandberg

  24. Pingback: Facebook revives NYE message service after security fix « GoodyGate

  25. Pingback: A facebook se le atragantan las uvas « AppleMate

  26. Pingback: Facebook fixes privacy issue on New Year’s Eve messaging | Local Philadelphia News Aggregator

  27. This is a very basic security issue, an amateur programmer could easily avoid this flaw easily

    Facebook is the worst on the internet in protecting user provacy

  28. Pingback: Facebook revives NYE message service after security fix | Show Off! The Magazine

  29. Almost avoided commenting but just had to say, highest paid isn’t necessarily the best programmers. Well done for finding this, Facebook should have acknowledged the emails at least!

  30. Wow that was unusual. I just wrote an extremely long comment but
    after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all
    that over again. Anyways, just wanted to say wonderful blog!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s