Facebook recently suffered a serious security booboo. Reports indicate that a security flaw in its “Midnight Delivery” application allowed strangers to read users’ private messages.
Midnight Delivery allows Facebook users to send friends ‘Happy New Year’ messages. Users can attach text and a photograph to their message, which can only be read after recipients click a link that takes them to a special Facebook Stories website.
Midnight Delivery messages were specially designed to send only once the clock struck midnight on New Year’s Eve.
Here’s the problem: a UK-based business student named Jack Jenkins (great name) found that simply adjusting the numbers that appeared in the web browser address bar (or URL) allowed him to view other peoples’ private messages. He could read the text, look at photographs, and even delete those messages.
Jenkins immediately sent Facebook a note about the problem, but failed to receive a response. Feeling obligated to let the Facebook world know it was in danger, Jenkins publicized the issue.
Facebook eventually did take action. It disabled Midnight Delivery for several hours before reinstating it. When the app was again made available, users could no longer tinker with the URL and view strangers’ messages.
All’s well that ends well, but it’s not clear if Jenkins was the only person to discover the flaw. Jenkins did know, however, that he had stumbled upon quite an epic security fail — and one that practically anybody could have found.
“I don’t know all the ins and outs of it, but it’s a pretty big thing for a company to overlook,” Jenkins said.