Facebook Security Flaw Lets Strangers Read Chats

Facebook was recently forced to temporarily switch off a New Year's Eve messaging feature after a report suggested that private messages could be easily accessed and read by strangers.

The feature is called "Midnight Delivery." It allowed Facebook users to send a 'Happy New Year' message to a friend. Unlike a normal message, however, the New Year's message would be "delivered" at precisely midnight.

Furthermore, the message wouldn't arrive in the usual Facebook inbox. Instead, the recipient would get a link taking them to a special website called "Facebook Stories," where they would see the message.

Business Student Finds Security Flaw

However, an eagle-eyed user named Jack Jenkins, a business information technology student in the United Kingdom, discovered a security flaw in the system.

Essentially, the message link took users to a web page with an address that ended in a string of numbers. Those numbers turned out to be a reference to the individual message intended for the proper recipient.

However, by simply changing one or more of the numbers in his web browser address bar, Jenkins was able to access messages intended for other users. (Source: wordpress.com)

Anyone Could Read, Delete Private Messages

Jenkins found that he was able to see the names of other intended recipients of "Midnight Delivery" messages. He could read the full content of their messages, and see any attached photographs.

Jenkins also discovered he was able to delete any of these messages, even though he shouldn't have been able to because he had neither sent nor received them.

Jenkins says that Facebook failed to respond to his email alerting them to the problem. As a result, he decided to publicize details of the security flaw as widely as he could.

On New Year's Eve, Facebook disabled Midnight Delivery for roughly nine hours. It then reinstated the feature, which thereafter blocked users from changing any of the numbers in the address bar.

Jenkins has told the media just how surprised he was to find such a massive security flaw on one of the world's most popular websites.

"It seems that Facebook treated all these messages as unique messages, but then failed to link them to a unique person to make them private to them," Jenkins said.

"I don't know all the ins and outs of it, but it's a pretty big thing for a company to overlook." (Source: guardian.co.uk)