Facebook “Midnight Delivery” security flaw

Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.

StoriesFacebook however have not been very security consious when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself.

For example. I made this test one which you should be able to see saying “TEST TEST TEST TEST”:

Story2If you manipulate the ID (http://www.facebookstories.com/midnightdelivery/confirmation?id=76188), you can view other people’s messages, just change the ID number up or down a few.

It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message.

Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo, another was a personally written message with a photo such as this:

FBStory5I don’t know who these people are, but you can see it puts my profile pic next to it, as if I have sent the message. It shouldn’t be possible to do this, as these are not generic and are people’s personal images.

A very bad part of it all is I think that you can actually DELETE other people’s messages, which I have tested for myself on a single message as I thought that it would say access denied

Screenshot 1 shows a greeting written by someone: FBStory3

Screenshot 2 shows the greeting page after I clicked to delete it:

FBStory4

After I action the deletion, this URL is no longer reachable. Which may mean that I have deleted their message
Screenshot 3 is just an example of a mass message I came across:

FBStory2

I just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks. PLEASE Don’t go deleting random messages, but try and delete one of mine that I set up especially if you want :). And share this message with someone else who may be interested:
http://www.facebookstories.com/midnightdelivery/confirmation?id=76746
http://www.facebookstories.com/midnightdelivery/confirmation?id=76742

Jack. Tweet me here: https://twitter.com/Jackthewelshman

UPDATE 31/12/2012 05:25GMT – the site is currently down for maintenance, I sent it to Facebook too so I think they are working on it

UPDATE 31/12/2012 14:00GMT – Facebook still haven’t got back to me personally with  any response. This is the reason that I contacted The Verge, to actually get some action taken

UPDATE 31/12/2012 14:35GMT – I have just checked, the bug / oversight has now been fixed. You can no longer access other people’s messages by changing the confirmation message ID

UPDATE 01/01/2013 16:49GMT – Facebook still haven’t responded to the two messages that I sent regarding this bug (This is still correct 03/01/2013 23:05GMT – I guess that I’ll never get a response now)

Advertisements

What I did this week

This week we have been completing work on our group report, in between the final work on another 20 credits we’ve been working on. Therefore early in this work week we didn’t actually manage to meet up, however we did meet up during the end of this working week.

We have completed a lot of the business plan, this week we have been going through tidying the earlier sections of it up to “hand in standard”. Then we’ve been moving on to write bullet points incomplete sections or turning some points into text.

The Technology plan’s components are all completed apart from the Data Flow Diagrams, which I am going to which I have began producing and will complete in this following week. We had already done one, however after the lecture this week, I have realized that this existing one has elements of a flow diagram and that it’s better to just do it again. I will make a number of them to model different processes. The technology plan items need to be formatted into a formal document with descriptions (where applicable), at the moment they are only together and unstructured.

The marketing plan has a template which Seb has created. Ian has had some more feedback from the questionnaire, we however have not added many items to the formal Marketing Plan document – we only have relevant content saved, not in any order. This is the most incomplete part of the group report right now.

Sam and Tom discussed what they had done with the Technology plan and how they had brought them all together. Seb and I showed the group the progress in the business plan, Ian helped Seb make some changes before our meeting today, before the rest of us got to the meeting room. Ian told us what he’d done with the Marketing plan and what was missing from other plans, such as risks – so we will work on that first in this coming working week. During the meeting we set plan for this week and we have a meeting room booked for a period on all days.

I am confident that the work will be completed to a high standard by Friday, where one of us will be delivering it to Chris. The aim is to push forward ensuring we make all of the relevant points and workings for a 1st! We will see how it goes.

Time spent: 7 hours

EDIT: Just searched for a DFD diagram program to use that is easier to use than Word 2010, or one that has some more powerful features. I decided to go with Gliffy as it’s free, it’s web based and there are lot’s of tools available, such as easy linking of processes with arrows. I tested it out and made a DFD for two processes (3 diagrams in total, as I need to show my group multiple versions for feedback). More to come in the following week but will tag this work onto tonight.

Time added: 2 hours. Total time 9 hours

What I learnt this week

This week I learnt some more about data flow diagrams (DFDs). I had done them before, perhaps during A-Level, but certainly during a 1st or 2nd year module of some sort. However that’s a long time ago, so was a little rusty!

I learnt that DFDs are supposed to be easy to read, to show the sequence of processes happening and the data that is moving between them. The most important part that I took away from the lecture was that they aren’t highly detailed diagrams containing decisions and every single process that is going on. There are other diagrams more suited to this, such as flow diagram. What I previously made for my group project was probably just a flow diagram, so I can go back and fix that.

A data flow diagram has data stores, functions (processes) and arrows to show the relationship and movement.

Although the diagrams themselves don’t describe the detailed workings within a system or data flow, the diagrams themselves can still be large and complex, depending on the scale of the processes involved. For example the data flow diagram for voting in a poll online will be different to describing an inter library loan book request.

Other than this, Chris reminded us of the hand in date for the Group Report. We’ll decide on one person to hand it in, the method will probably be by email as this is easiest… and least chilly.

Question: I do have a question about our hand in. Do you want the format to be 3 files only (e.g. in a zip if by email), these being PDFs / word processor files – as if it’s a paper document hand in. Or can there be additional files too? I was just thinking let’s say there was a large image that we wanted to include, this would be fairly small on an A4 page but easier to see full screen (done via link to online resource in-document, or folder of content in the zip)

What I did this week

This week our group met up on Friday for just under 2 hours – we discussed how were going to split up the work and who was going to meet up to meet up for regular progress report or group work.

Seb and I have done previous work that relates to or is in the business plan, plus I quite like crunching numbers and things, so it was decided that we would take on the responsibility of finishing the Business plan. This can be reviewed later on by other team members. I spoke with Seb so that we could meet up on the weekend or next week.

Also during the meeting we realized that the Marketing plan needs to have a document template created, with headings and current content, so that we don’t always think from a blank sheet. This way we can complete it more quickly. We also need to gain more responses from our survey, as Ian showed us that although we had a lot of responses, over 75% were Students if I remember rightly. Ian is going to work on the Marketing plan and I am going to assist him with it.

Tom and Sam are going to meet up to complete the technology plan, they have done some of the original technology related pieces, so this makes sense.

Over the weekend I spent time looking through the results of the survey, writing down the main points about what things meant. For example stats show that the majority of people thought our pricing for annual student rental was reasonable, as our annual charge for students fall within the most popular range. However, if we get more respondents that are not Students, they may say the same thing, but their annual charge is currently set higher, in a different price band that isn’t quite as popular in the survey results. We may need to use this survey data to make some changes.

I also spent some time at the weekend looking for some example marketing plans, to get an idea of the layout. I did this while looking at the marketing related lectures we’ve had in previous weeks.

We met again on Monday and planned ahead of how we would allocate time in the week before hand in. We have made sure that we have at least 12 hours within the final 5 days, where we are all free to meet together. We have booked a meeting room for a few hours each day, so that anyone can meet, with a computer available to do or go through any work.

I spoke with Seb during Monday’s meeting to meet up on Tuesday to do some Business plan work.

On Tuesday I met up with Seb to work on the Business plan, that we have centrally saved in a group on Facebook. One of the things we did was we wrote down our ideas into section 14 about how we would promoted and advertise our rental service. There needs to be a campaign in the local area, particularly on campus during that start of terms and particularly around town and the local area (e.g. caravan parks) during tourist season. Nationally, we can only really advertise our business on the internet due to budget, this would make it easier to spend our money wisely, by targeting an audience using Google Adwords (geographical and keyword relevance). There may be some useful data from our marketing plan, to help with this.

The people in our group have a deadline for a 100% assignment and one 40% assignment, before the hand in for this group report. We have to balance our time between these things up until they are completed, by the 10th of December the group report will be our only responsibility left, so we can put more focus into it.

I believe this week we have pulled together to bring the standard up level to previous weeks again, but we need to work as hard as this up until the 10th, then twice as hard up until the deadline if we are going to complete this to a 1st standard – which we aim to achieve!

Work responsibility split:

Marketing: Ian/Jack === Business: Jack/Seb === Technology: Sam/Tom

Hours spent: approx 8 hours