Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.
Facebook however have not been very security consious when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself.
For example. I made this test one which you should be able to see saying “TEST TEST TEST TEST”:
If you manipulate the ID (http://www.facebookstories.com/midnightdelivery/confirmation?id=76188), you can view other people’s messages, just change the ID number up or down a few.
It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message.
Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo, another was a personally written message with a photo such as this:
I don’t know who these people are, but you can see it puts my profile pic next to it, as if I have sent the message. It shouldn’t be possible to do this, as these are not generic and are people’s personal images.
A very bad part of it all is I think that you can actually DELETE other people’s messages, which I have tested for myself on a single message as I thought that it would say access denied
Screenshot 1 shows a greeting written by someone:
Screenshot 2 shows the greeting page after I clicked to delete it:
After I action the deletion, this URL is no longer reachable. Which may mean that I have deleted their message
Screenshot 3 is just an example of a mass message I came across:
I just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks. PLEASE Don’t go deleting random messages, but try and delete one of mine that I set up especially if you want :). And share this message with someone else who may be interested:
http://www.facebookstories.com/midnightdelivery/confirmation?id=76746
http://www.facebookstories.com/midnightdelivery/confirmation?id=76742
Jack. Tweet me here: https://twitter.com/Jackthewelshman
UPDATE 31/12/2012 05:25GMT – the site is currently down for maintenance, I sent it to Facebook too so I think they are working on it
UPDATE 31/12/2012 14:00GMT – Facebook still haven’t got back to me personally with any response. This is the reason that I contacted The Verge, to actually get some action taken
UPDATE 31/12/2012 14:35GMT – I have just checked, the bug / oversight has now been fixed. You can no longer access other people’s messages by changing the confirmation message ID
UPDATE 01/01/2013 16:49GMT – Facebook still haven’t responded to the two messages that I sent regarding this bug (This is still correct 03/01/2013 23:05GMT – I guess that I’ll never get a response now)
Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos » tymbndr.com
Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos | Latestwire
Pingback: Facebook security hole allows anyone to view private New Year's Midnight Delivery messages and photos | Wikisis
i tried it a few times, at the seventh time it signed me out of the app, i guess they are working on it?…i hope
Let’s hope so! I went through at least 20 and nothing happened, this was earlier on
“This site is currently undergoing some maintenance.”
Hopefully they’re fixing it!
Pingback: Watch Out: Your New Year’s Midnight Delivery Messages On Facebook Aren’t Private | Gizmodo Australia
Reblogged this on Achmad Widodo's Blog.
Pingback: Facebook yılbaşına özel mesaj platformunu güvenlik açığı nedeniyle bakıma aldı
Pingback: Facebook stops New Year message tool | Social Network Tips
Pingback: DD Tech Solutions - Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole
They fixed it
fixed…….
Nice one mate!
It’s “fixed” – meaning Facebook have turned off the midnight delivery service – http://www.guardian.co.uk/technology/2012/dec/31/facebook-disables-new-year-message-app .
Pingback: Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole | Wikisis
Pingback: Facebook stops New Year message tool | Build Own Social Network Website
Pingback: Facebook stops New Year message tool | IT Support London | SupportWizard.net
Pingback: Just in time: Facebook restores New Year’s messaging service after plugging privacy loophole | PJExploration
Pingback: Facebook disables New Year’s messaging tool after private messages revealed | Latestwire
Pingback: Facebook stops New Year message tool | Social Web Guide
It’s “fixed” – thank you Facebook!
Pingback: Watch Out: Your New Year’s Midnight Delivery Messages on Facebook Aren’t Private | Backup Rss
Pingback: Watch Out: Your New Year’s Midnight Delivery Messages on Facebook Aren’t Private (Updated) | Backup Rss
Pingback: Facebook stops New Year message tool — news community information events reviews business in Narberth Pembrokeshire Wales
Pingback: » Facebook Temporarily Disables New Year’s Messages After Privacy Snafu - Dynam Host ICT Solution
Just unbelievable!
Should have reported it to Facebook. There was an account on Hacker News of how Facebook gave some bloke 3,500 dollars for reporting a similar bug.
I reported it to Facebook. They still haven’t replied to me, it’s quite disappointing really. This is why I had to go to the press instead, to actually get this bug fixed.
good job!
It’s great that you found this issue. And it’s pretty lame for facebook, or the third party that wrote the app, to miss this. However as a general security/privacy reporting etiquette you should not have made this public so soon. Imagine if all the white hats out there make every mac, windows, ios or android vulnerability as easily accessible and exploitable before the respective parties get a chance to evaluate and rollout a patch?
I realize you did not have bad intentions, but as someone said..with great power comes great responsibility. Keep up the good work, and please be more responsible and nuanced reporting security issues going forward.
Pingback: Facebook flubs security of 'Midnight Delivery' New Years messaging app | Digital Trends
Pingback: Facebook revives NYE message service after security fix | Partners In Sublime
Pingback: Facebook revives NYE message service after security fix | Tech TV
how can i site like FB do this? aren’t these the highest paid/best programmers? seems like such an amateur mistake
p.s. timeline sucks too and that’s why FB users are in decline. Fire Sheryl Sandberg
Pingback: Facebook revives NYE message service after security fix « GoodyGate
nice one post and thnxs for facebook
Pingback: A facebook se le atragantan las uvas « AppleMate
Pingback: Facebook fixes privacy issue on New Year’s Eve messaging | Local Philadelphia News Aggregator
This is a very basic security issue, an amateur programmer could easily avoid this flaw easily
Facebook is the worst on the internet in protecting user provacy
Pingback: Facebook revives NYE message service after security fix | Show Off! The Magazine
Almost avoided commenting but just had to say, highest paid isn’t necessarily the best programmers. Well done for finding this, Facebook should have acknowledged the emails at least!
Thanks for the comment :). I agree
Wow that was unusual. I just wrote an extremely long comment but
after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all
that over again. Anyways, just wanted to say wonderful blog!