Facebook fixes flaw that allowed access to private photos

Filed Under: Facebook, Featured, Privacy, Social networks, Vulnerability

Artist's impression of Mark Zuckberg and friendIn the end, it took a picture of Mark Zuckerberg holding a dead chicken to get Facebook to fix a flaw that allowed strangers to access your private photos.

In an astonishing faux pas, the social networking site allowed users to have access to other users' personal and private photographs that would normally be hidden from view - by taking advantage of a flaw in the "Report inappropriate profile photo" feature.

The flaw worked like this. If you're a Facebook user , you can report other users' profile pictures as being "inappropriate". For instance, you can say that they contain "nudity or pornography".

However, Facebook then gives an opportunity to select "additional photos to include with your report" and displays a selection of photographs - which may not be shared publicly.

The flaw was highlighted on a body building message forum (yes, really..) but really got the world's attention when someone posted thirteen private photos from the Facebook account of Mark Zuckerberg.

In many ways it's good that Zuckerberg's account was targeted - if such a high profile figure hadn't fallen victim, the flaw might have continued to have been exploited for much longer opening up opportunities for stalkers and others to view private photos.

So, how did this happen? Well, I think a clue can be found in a brief shot seen in last weekend's BBC documentary about Facebook.

Move Fast and Break Things - poster at Facebook HQ

"Move fast and break things". That's a poster on the wall at Facebook's HQ, and is the company's internal motto.

You'll notice the poster doesn't say "Privacy matters".

In other words, Facebook's programmers are experimenting with new features and are testing them out on the live site without, in this case at least, the code being properly reviewed with privacy in mind.

The good news is that Facebook responded quickly once the problem made the tech headlines and the ability to report additional photos (and thus inadvertently see users' private photos) is currently withdrawn.

Facebook issued a statement to the media about the flaw:

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously."

"The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

It's good that Facebook has fixed the flaw, as it impacted the privacy of users (including its CEO), but it should never have happened in the first place.

Journalist Helen Lewis-Hasteley was inspired by the incident to half-jokingly suggest that everyone should change their avatar picture to encourage Facebook to take privacy more seriously:

Maybe that's not such a bad idea.

Facebook needs to stop making mistakes when it comes to its members' privacy. Once users' trust is broken, it will be very hard to restore.

If you're on Facebook and want to stay informed about the latest scams, worms and privacy issues join the Sophos page on Facebook. You'll find over 150,000 people there, regularly sharing information on threats and discussing the latest security news.

, , , , ,

You might like

10 Responses to Facebook fixes flaw that allowed access to private photos

  1. David Harley · 865 days ago

    Nice hook. :) By way of an alternative motto, I'd suggest "if you're in a hole, stop digging": or maybe "do as I say, not as I do."

  2. Jack The Bodiless · 865 days ago

    This is the 21st century. Privacy doesn't matter. At least, not in the same sense as it did back in the day. Security, yes. Privacy? That's a thing of the past.

    • Sean Sullivan · 865 days ago

      In one sense, “privacy” never really existed. I'm pretty sure that my local small town bank teller, Peggy, still remembers I always had surplus funds in my primary bank account, back in the day…

      No way to erase her memory, and really, why should I want to?

  3. I've been able to see strangers' photos for MONTHS. It's about time this was fixed.

  4. 4caster · 865 days ago

    So what's inappropriate about a photo of someone holding a dead chicken? I've got one in my freezer now. I also have a dead pheasant hanging in my garage, someone else's roadkill complete with feathers, but good to eat when dressed and cooked.

  5. Phil · 864 days ago

    If it was a flaw in google+, someone would be holding a dead duck instead.

  6. jessi slaughter · 864 days ago

    it's a metaphor: the chicken represents the internet as we used to know it.

  7. Jenny · 864 days ago

    I have seen many a dead chicken when I was young..my family raised and ate chickens, pigs, and cows..this is the way people in the country have done things for centurys. I personally don't post anything I don't want seen on my computer or elsewhere.

  8. Richard Hodgson · 864 days ago

    This used to apply to status updates too: I found that you could view people's wall posts even if they supposedly hid them from strangers in their privacy settings by clicking on the Report button on their page. I informed Facebook, and to their credit, it seemed to be fixed within a couple of weeks.

    It's just a shame that these problems even occurred in the first place.

  9. Jack Yan · 864 days ago

    In the haste to fix this problem, they created another. As of tonight, I can no longer choose to restrict things from the Limited Profile group, which Facebook has had since I joined in early 2007. Another ‘oops’ from Facebook, it seems.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.