Facebook confirms privacy flaw with New Year’s message service, takes it offline to fix issue

Update: 4am PST: Facebook has restored access to the messaging service after plugging the privacy and security hole.

Update: 10:20pm PST: A Facebook spokesperson confirms that it is aware of the issue and working on a fix. According to the statement: “We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed.”

Update 8:54pm PST: Facebook appears to have taken the site offline to make some updates. When you go to the site, it displays a message saying “This site is currently undergoing some maintenance.”

The new year is still about 24 hours away in the United States, but it looks like Facebook’s Midnight Deliveries are getting a head start, unbeknownst to the social network. As first reported by Jack Jenkins, Facebook’s New Year’s feature has a privacy flaw that allows anyone to view and potentially delete messages intended for other users.

The privacy flaw

Last week, the social network launched its Midnight Delivery feature that enabled any user to send messages automatically to their friends at the stroke of midnight. Normally, when users get a message, it goes straight to their inbox on Facebook. However, this time, these messages appear to have rather public confirmation pages making them available to anyone who has the URL syntax.

We’ve confirmed this privacy flaw with our own test. When a user successfully submits a message to be sent to their friends, he or she will be displayed a confirmation screen that displays a URL: http://www.facebookstories.com/midnightdelivery/confirmation?id=XXXXX. From here, anyone that’s curious can simply change the ID variable at the end of the web address and then view other messages left for people.

It’s important to note that when you look at other people’s messages, the sender isn’t visible. However, you do see all the intended recipients and also the message itself. The avatar that normally would display the sender’s image would be replaced by yours (assuming you’re logged into Facebook at the time). What’s more is that there is an opportunity for anyone to delete it from the server. Yes, that’s right. If you stumble upon someone’s message and click on the “X” next to it, it can be removed from the site. We’ve tried it and after refreshing the page, came across an error message (displayed below).

We’ve reached out to Facebook for comment about this security and privacy flaw and will update when we hear back. However, it appears that Facebook may be working on the issue. We’ve been checking the Midnight Delivery website and right now it displayed a different screen when you try and view messages randomly. In fact, the service won’t even allow users to create messages.

A minor flaw, but not one to be overlooked

While this may be considered to be a minor flaw in Facebook’s master plan to get everyone to communicate using its platform, one thing that shouldn’t be overlooked is the fact that this could be potentially embarrassing  if not damaging for some individuals who use this for, let’s say, unorthodox purposes (yes, we know there are some users who do that type of stuff). So if you used Midnight Deliveries to send messages and photos that are, shall we say, not safe for work, then this could affect you.

As Facebook is interested in being the repository for everything that is happening in our lives, the apparent inability to secure New Year’s greetings puts a bit of a stain on the company’s privacy record. Already laced with the reputation for ignoring user’s privacy by some, this just adds more fuel to the fire. Just this month, the social network launched updated privacy settings to help users feel better about how their content is being shared. Of course that theory didn’t really go well considering the recent debacle last week with Randi Zuckerberg and a family photo.

This isn’t the first time that Facebook has also had issues with messages being displayed to the public. As TNW’s Emil Protalinski reported in September, users claimed to see private messages in their Timelines. It wasn’t a widespread issue with Facebook saying that they were old Wall posts, but readers told us otherwise.

Not only that, but in November, the social network had a security hole that allowed anyone to see the email addresses corresponding to certain Facebook accounts. It was discovered through a Google search and may have provided a direct link to apparently 1.35 million accounts.

Photo credit: Chris Jackson/Getty Images