Facebook security flub allowed anyone to view private New Year’s Eve messages

facebook stories

If you’re looking to send a message to your friends or family at the crack of the New Year, Facebook’s “Midnight Delivery” app will deliver a customized Happy New Year Message when the clock strikes 12:00 AM. Just don’t make your 2013 salutations too private. Blogger Jack Jenkins discovered that Facebook’s Midnight Delivery app had a security flaw that allowed users to snoop through other other people’s New Years Eve messages with one very simple hack.

Jenkins found that by changing the ID numbers at the end of the a message URL, you could browse through random messages that other users were sending to each other. Each message is given a Facebook-generated number, similar to how Facebook uses unique ID numbers to identify each user. For instance, after sending a message, you might receive the URL http://www.facebookstories.com/midnightdelivery/confirmation?id=76188. By changing the 76188 to another string of five digits, you could see someone else’s message.

Facebook has since fixed the flaw, so the above link will prompt you to log in, rather than displaying a private message. For anyone who sent a message prior to the fix, there isn’t much to worry about. The name of the sender was never publicly viewable – only his or her picture. The name and profile picture of the message recipient, on the other hand, were visible. The greater concern might be that third-party viewers could delete the messages in question, so you may want to double to check to make sure you’re midnight greetings are still on schedule.