Facebook Works To Fix Confirmed Privacy Flaw With New Year's Message Service
Social network Facebook has confirmed that there is a privacy flaw with its New Year's messaging service called the Midnight Delivery feature. This feature was billed as a way to allow users to send messages automatically to all their friends at the stroke of midnight. Since some the messages could be private in nature, the service was supposed to allow messages to be read by the intended recipients. UPDATE: A spokesperson for Facebook has reached out to us to assure the world that this situation has been rectified – rest easy!
However, Facebook has now confirmed that there is a privacy flaw that allows anyone with the URL syntax to read messages left using the service. The messages were supposed to go directly to the recipient's inbox on Facebook. The flaw also will allow users to delete the messages before they arrive at their intended recipients. You may be thinking that it would be difficult for a stranger or someone else you know to get the exact URL syntax for messages.
The problem is that when you enter a message to be delivered at midnight tonight, message users are given a confirmation screen displaying a URL. That URL is the same for everyone who enters a message using the service except for at approximately six digit long code on the end. Users who want to create mischief could simply change that six digit code and access messages left by the users that they could read or delete.
Facebook has confirmed that they have taken the Midnight Delivery feature off-line to fix the security flaw. At least all the security problem allowed was for people to read and delete your messages. If the flaw allowed people to edit those messages, things could've been very embarrassing.
[via TheNextWeb]