Facebook Security Flaw Exposed Users, Zuckerberg's Private Photos

Ironically, the very tool that was intended to help users police inappropriate and offensive content on Facebook was exploited to access images that users had marked private.

Some Facebook users gleefully exploited a security flaw in Facebook's mechanism for reporting inappropriate or offensive images posted on the social networking site to access and publish Facebook CEO Mark Zuckerberg's private photos. Facebook moved quickly to close the hole.

On Nov. 27, an anonymous poster on Web forum Bodybuilding.com listed step-by-step instructions on how to access photos uploaded by other Facebook users, even if the images had been locked as private. Thirteen pictures grabbed from Zuckerberg's account and marked private were posted on the Imgur photo sharing site and shared widely on Twitter on Dec. 6.

When a user flags an image on another user's profile as containing nudity or adult content using the self-reporting system, the tool offers an option of "selecting additional photos to include with your report," according to the instructions posted on the "I teach you how to view private Facebook photos" post.

If the user wants to select additional photos, Facebook displays an album containing additional photos that could be flagged, even those marked as private when uploaded by the user. The forum thread also discussed ways the user can resize and enlarge the photos available.

As of late afternoon Dec. 6, Facebook has closed the security hole.

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously," Facebook said in a statement. The bug was a result of a "recent code push" and was live for only a "limited period of time," the company said.

"Not all content was accessible, rather a small number of one's photos," Facebook said, adding that only a limited number of users were affected. The company did not disclose how many people may have been affected by the exploit. Users are not notified who flagged their images using the tool, and they will not be able to tell that someone had used the exploit to view their private photos.

The exploit does not appear to have worked consistently, as the reporting tool did not always display the "additional photos" option to users, and not all the images that were in the album had been private, according to the forum thread.

The reporting tool has been disabled, and Facebook "will only return functionality once we can confirm the bug has been fixed," Facebook said. The company also reaffirmed its commitment to data privacy, and that the integrity of user data is the company's "top priority."

The anonymous poster who found the flaw told the Wall Street Journal the flaw was discovered by accident. "This is simply terrible programming on Facebook's part," the poster told the Journal, adding, "[It's] inexcusable considering how many engineers and web developers they have working for them."

This is not the first time someone used a Facebook exploit to go after the CEO. In January, a hacker posted a message that appeared to be from Zuckerberg that suggested the company look to its own users to raise funds instead of going to the banks.

The timing of this attack is unfortunate, as just a few days ago, Facebook settled with the United States Federal Trade Commission on charges of misleading users about how their personal information would be used. The settlement requires Facebook "to establish and maintain a comprehensive privacy program" that would be subject to regular audits by a third party for the next 20 years, the FTC said.