Skip to main content

Facebook closes loophole that exposes private photos

facebook eye
Image used with permission by copyright holder

Facebook has disabled parts of it abuse report system that allowed users’ private photos to be viewed by anyone.

The problem, according to a Facebook spokesperson, was due to recent changes to its abuse report system, which allowed any user to flag a number of photos in another user’s album that he or she deemed “inappropriate,” even if the user filing the abuse report was not friends with the user with the private photos.

“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously,” said a Facebook spokesperson, in an email to Digital Trends. “The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos.  This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.”

facebook-zuckerberg-chickenThe loophole was originally uncovered on the forum of BodyBuilding.com, by user ThePoz, a 6-foot 5-inch 205-pounder from Syracuse, New York.

The patch did not come quickly enough for at least one user, however: Facebook co-founder Mark Zuckerberg. Thanks to some security wall-jumping sleuths at Hacker News and Reddit (where the BodyBuilding.com thread was posted and made widely visible), a number of Zuckerberg’s personal photos are now rapidly making their way around the Web.

Prior to its closing, the loophole worked like this: Go to the photos page of a user who is not your friend. Click on the “Report/Block” tab, and select “Inappropriate Profile photo.” After going through a number of pop-up windows, users who select to “Help us take action by selecting additional photos to include with your report,” were then allowed to pick other photos from that user’s albums. A little clever copy/paste of an image’s URL, and voila, private photos for all to see.

This is only the latest privacy flub Facebook has had to deal with since its launch in 2006. Just last week, Facebook settled with the Federal Trade Commission, which had accused the popular social network of engaging in “unfair and deceptive” privacy practices. The terms of the settlement require Facebook to receive explicit consent from users before changing any privacy settings, and to subject itself to independent audits of its privacy system for the next 20 years.

Because of this scrutiny, Facebook was quick to reiterate its commitment to user privacy, and it’s ability to keep private user data safe.

“The privacy of our user’s data is a top priority for us, and we invest lots of resources in protecting our site and the people who use it,” said Facebook’s spokesperson. “We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program, we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.”

Editors' Recommendations

Topics
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
Now that you can easily transfer photos out of Facebook, will you stay?
mark zuckerberg speaking in front of giant digital lock

Facebook on Monday announced a new feature that will begin rolling out in Ireland before spreading elsewhere: The ability to transfer your Facebook photos directly to other platforms without having to download them first. The feature will initially only port your pics over to Google Photos, though it's likely more platforms are on the way.

This is a step forward from Facebook's already-existing data portability tool, “Download Your Information,” which allows a user to keep a copy of everything they’ve ever put on Facebook on their private computer. In a statement, Facebook told Digital Trends that “the feedback we’ve received over the years tells us that although this tool is helpful, it isn’t seamless enough for users to take information directly from one service to another.”

Read more
You will soon be able to migrate your Facebook photos and videos to Google Photos
close up of someone deleting the Facebook app off their iPhone

Facebook will soon let you easily migrate those hundreds of old photos and videos you uploaded ages ago to other services like Google Photos. In a blog post, the social network said it’s rolling out a new tool in Ireland that allows you to port your Facebook media without having to manually download and upload it someplace else.

The announcement is the result of Facebook’s participation in the Data Transfer Project, an open-source initiative to enable cross-platform data migration between various platforms. Facebook has been a member of the project for a while along with Apple, Google, Twitter, and more. Incidentally, the tools that allow you to download all your Facebook or Google data were based on the code developed through the Data Transfer Project as well.

Read more
Private data of some Facebook and Twitter users leaked through malicious apps
mark zuckerberg speaking in front of giant digital lock

On Monday, November 25, Facebook and Twitter said private data of "hundreds of their users" was compromised through malicious third-party Android apps. The social media companies were tipped off by a team of security researchers who discovered that a software developer kit called One Audience allowed developers to access personal information they weren’t supposed to.

In addition to data such as email addresses and usernames, the vulnerability also exposed users’ recent tweets if they logged into those bad apps with their Twitter account. While the report doesn’t share specifics on the Android apps, CNBC says popular photo-editing apps like Giant Square and Photofy may be among them -- the former of which has already been taken down from the Google Play Store.

Read more