Getting hundreds of spam Facebook messages wishing you a happy New Year would be annoying enough – how much worse if the contents of those messages are public?
Facebook’s been forced to pull the plug on its Midnight Deliveries feature, following the discovery of a security flaw that would have allowed outsiders to not only view the messages but also edit or delete them.
Facebook launched Midnight Deliveries just before Christmas as part of its Facebook Stories feature. The idea was to allow the lazier of us to wish all our friends a happy New Year simultaneously at the stroke of midnight tonight.
But IT student Jack Jenkins has discovered that it’s easy for users to manipulate the ID at the end of the URL of a sent message to allow them to view or alter the content of messages to other people.
“It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message,” says Jenkins on his blog.
“Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo.”
Facebook has responded quickly to the discovery, taking down the app to work on a fix. It’s back up again now, implying that everything’s sorted: so brace yourself for the influx of platitudes at midnight tonight…