Ironically, the very tool that was intended to help users police inappropriate and offensive content on Facebook was exploited to access images that users had marked private.
Some
Facebook users gleefully exploited a security flaw in Facebook's mechanism for
reporting inappropriate or offensive images posted on the social networking
site to access and publish Facebook CEO Mark Zuckerberg's private photos.
Facebook moved quickly to close the hole.
On
Nov. 27, an anonymous poster on Web forum Bodybuilding.com listed step-by-step
instructions on how to access photos uploaded by other Facebook users, even if
the images had been locked as private. Thirteen pictures grabbed from Zuckerberg's
account and marked private were posted on the Imgur photo sharing site and
shared widely on Twitter on Dec. 6.
When
a user flags an image on another user's profile as containing nudity or adult
content using the self-reporting system, the tool offers an option of
"selecting additional photos to include with your report," according
to the instructions posted on the "I teach you how to view private
Facebook photos" post.
If
the user wants to select additional photos, Facebook displays an album containing
additional photos that could be flagged, even those marked as private when
uploaded by the user. The forum thread also discussed ways the user can resize
and enlarge the photos available.
As
of late afternoon Dec. 6, Facebook has closed the security hole.
"Earlier
today, we discovered a bug in one of our reporting flows that allows people to
report multiple instances of inappropriate content simultaneously,"
Facebook said in a statement. The bug was a result of a "recent code
push" and was live for only a "limited period of time," the
company said.
"Not
all content was accessible, rather a small number of one's photos,"
Facebook said, adding that only a limited number of users were affected. The
company did not disclose how many people may have been affected by the exploit.
Users are not notified who flagged their images using the tool, and they will
not be able to tell that someone had used the exploit to view their private
photos.
The
exploit does not appear to have worked consistently, as the reporting tool did
not always display the "additional photos" option to users, and not
all the images that were in the album had been private, according to the forum
thread.
The
reporting tool has been disabled, and Facebook "will only return
functionality once we can confirm the bug has been fixed," Facebook said. The
company also reaffirmed its commitment to data privacy, and that the integrity
of user data is the company's "top priority."
The
anonymous poster who found the flaw told the Wall Street Journal the flaw was
discovered by accident. "This is simply terrible programming on Facebook's
part," the poster told the Journal, adding, "[It's] inexcusable
considering how many engineers and web developers they have working for
them."
This
is not the first time someone used a Facebook exploit to go after the CEO. In
January, a hacker posted a message that appeared to be from Zuckerberg that
suggested the company look to its own users to raise funds instead of going to
the banks.
The
timing of this attack is unfortunate, as just a few days ago, Facebook settled
with the United States Federal Trade Commission on charges of misleading users
about how their personal information would be used. The settlement requires
Facebook "to establish and maintain a comprehensive privacy program"
that would be subject to regular audits by a third party for the next 20 years,
the FTC said.
Email
Print
