Facebook Security Flaw Exposed Users, Zuckerberg's Private Photos | eWeek

Facebook Security Flaw Exposed Users, Zuckerberg’s Private Photos

Dec 6, 2011
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Some Facebook users gleefully exploited a security flaw in Facebook’s mechanism for reporting inappropriate or offensive images posted on the social networking site to access and publish Facebook CEO Mark Zuckerberg’s private photos. Facebook moved quickly to close the hole.

On Nov. 27, an anonymous poster on Web forum Bodybuilding.com listed step-by-step instructions on how to access photos uploaded by other Facebook users, even if the images had been locked as private. Thirteen pictures grabbed from Zuckerberg’s account and marked private were posted on the Imgur photo sharing site and shared widely on Twitter on Dec. 6.

When a user flags an image on another user’s profile as containing nudity or adult content using the self-reporting system, the tool offers an option of “selecting additional photos to include with your report,” according to the instructions posted on the “I teach you how to view private Facebook photos” post.

If the user wants to select additional photos, Facebook displays an album containing additional photos that could be flagged, even those marked as private when uploaded by the user. The forum thread also discussed ways the user can resize and enlarge the photos available.

As of late afternoon Dec. 6, Facebook has closed the security hole.

“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously,” Facebook said in a statement. The bug was a result of a “recent code push” and was live for only a “limited period of time,” the company said.

“Not all content was accessible, rather a small number of one’s photos,” Facebook said, adding that only a limited number of users were affected. The company did not disclose how many people may have been affected by the exploit. Users are not notified who flagged their images using the tool, and they will not be able to tell that someone had used the exploit to view their private photos.

The exploit does not appear to have worked consistently, as the reporting tool did not always display the “additional photos” option to users, and not all the images that were in the album had been private, according to the forum thread.

The reporting tool has been disabled, and Facebook “will only return functionality once we can confirm the bug has been fixed,” Facebook said. The company also reaffirmed its commitment to data privacy, and that the integrity of user data is the company’s “top priority.”

The anonymous poster who found the flaw told the Wall Street Journal the flaw was discovered by accident. “This is simply terrible programming on Facebook’s part,” the poster told the Journal, adding, “[It’s] inexcusable considering how many engineers and web developers they have working for them.”

This is not the first time someone used a Facebook exploit to go after the CEO. In January, a hacker posted a message that appeared to be from Zuckerberg that suggested the company look to its own users to raise funds instead of going to the banks.

The timing of this attack is unfortunate, as just a few days ago, Facebook settled with the United States Federal Trade Commission on charges of misleading users about how their personal information would be used. The settlement requires Facebook “to establish and maintain a comprehensive privacy program” that would be subject to regular audits by a third party for the next 20 years, the FTC said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.