Facebook has disabled parts of it abuse report system that allowed users’ private photos to be viewed by anyone.
The problem, according to a Facebook spokesperson, was due to recent changes to its abuse report system, which allowed any user to flag a number of photos in another user’s album that he or she deemed “inappropriate,” even if the user filing the abuse report was not friends with the user with the private photos.
“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously,” said a Facebook spokesperson, in an email to Digital Trends. “The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.”
The loophole was originally uncovered on the forum of BodyBuilding.com, by user ThePoz, a 6-foot 5-inch 205-pounder from Syracuse, New York.
The patch did not come quickly enough for at least one user, however: Facebook co-founder Mark Zuckerberg. Thanks to some security wall-jumping sleuths at Hacker News and Reddit (where the BodyBuilding.com thread was posted and made widely visible), a number of Zuckerberg’s personal photos are now rapidly making their way around the Web.
Prior to its closing, the loophole worked like this: Go to the photos page of a user who is not your friend. Click on the “Report/Block” tab, and select “Inappropriate Profile photo.” After going through a number of pop-up windows, users who select to “Help us take action by selecting additional photos to include with your report,” were then allowed to pick other photos from that user’s albums. A little clever copy/paste of an image’s URL, and voila, private photos for all to see.
This is only the latest privacy flub Facebook has had to deal with since its launch in 2006. Just last week, Facebook settled with the Federal Trade Commission, which had accused the popular social network of engaging in “unfair and deceptive” privacy practices. The terms of the settlement require Facebook to receive explicit consent from users before changing any privacy settings, and to subject itself to independent audits of its privacy system for the next 20 years.
Because of this scrutiny, Facebook was quick to reiterate its commitment to user privacy, and it’s ability to keep private user data safe.
“The privacy of our user’s data is a top priority for us, and we invest lots of resources in protecting our site and the people who use it,” said Facebook’s spokesperson. “We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program, we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.”