Sophos Cloud Optix
In the end, it took a picture of Mark Zuckerberg holding a dead chicken to get Facebook to fix a flaw that allowed strangers to access your private photos.
In an astonishing faux pas, the social networking site allowed users to have access to other users’ personal and private photographs that would normally be hidden from view – by taking advantage of a flaw in the “Report inappropriate profile photo” feature.
The flaw worked like this. If you’re a Facebook user , you can report other users’ profile pictures as being “inappropriate”. For instance, you can say that they contain “nudity or pornography”.
However, Facebook then gives an opportunity to select “additional photos to include with your report” and displays a selection of photographs – which may not be shared publicly.
The flaw was highlighted on a body building message forum (yes, really..) but really got the world’s attention when someone posted thirteen private photos from the Facebook account of Mark Zuckerberg.
In many ways it’s good that Zuckerberg’s account was targeted – if such a high profile figure hadn’t fallen victim, the flaw might have continued to have been exploited for much longer opening up opportunities for stalkers and others to view private photos.
So, how did this happen? Well, I think a clue can be found in a brief shot seen in last weekend’s BBC documentary about Facebook.
“Move fast and break things”. That’s a poster on the wall at Facebook’s HQ, and is the company’s internal motto.
You’ll notice the poster doesn’t say “Privacy matters”.
In other words, Facebook’s programmers are experimenting with new features and are testing them out on the live site without, in this case at least, the code being properly reviewed with privacy in mind.
The good news is that Facebook responded quickly once the problem made the tech headlines and the ability to report additional photos (and thus inadvertently see users’ private photos) is currently withdrawn.
Facebook issued a statement to the media about the flaw:
"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously."
"The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."
It’s good that Facebook has fixed the flaw, as it impacted the privacy of users (including its CEO), but it should never have happened in the first place.
Journalist Helen Lewis-Hasteley was inspired by the incident to half-jokingly suggest that everyone should change their avatar picture to encourage Facebook to take privacy more seriously:
https://twitter.com/#!/helenlewis/status/144082505446858752
Maybe that’s not such a bad idea.
Facebook needs to stop making mistakes when it comes to its members’ privacy. Once users’ trust is broken, it will be very hard to restore.
If you’re on Facebook and want to stay informed about the latest scams, worms and privacy issues join the Sophos page on Facebook. You’ll find over 150,000 people there, regularly sharing information on threats and discussing the latest security news.
Nice hook. 🙂 By way of an alternative motto, I'd suggest "if you're in a hole, stop digging": or maybe "do as I say, not as I do."
This is the 21st century. Privacy doesn't matter. At least, not in the same sense as it did back in the day. Security, yes. Privacy? That's a thing of the past.
In one sense, “privacy” never really existed. I'm pretty sure that my local small town bank teller, Peggy, still remembers I always had surplus funds in my primary bank account, back in the day…
No way to erase her memory, and really, why should I want to?
I've been able to see strangers' photos for MONTHS. It's about time this was fixed.
So what's inappropriate about a photo of someone holding a dead chicken? I've got one in my freezer now. I also have a dead pheasant hanging in my garage, someone else's roadkill complete with feathers, but good to eat when dressed and cooked.
If it was a flaw in google+, someone would be holding a dead duck instead.
it's a metaphor: the chicken represents the internet as we used to know it.
I have seen many a dead chicken when I was young..my family raised and ate chickens, pigs, and cows..this is the way people in the country have done things for centurys. I personally don’t post anything I don’t want seen on my computer or elsewhere.
This used to apply to status updates too: I found that you could view people’s wall posts even if they supposedly hid them from strangers in their privacy settings by clicking on the Report button on their page. I informed Facebook, and to their credit, it seemed to be fixed within a couple of weeks.
It’s just a shame that these problems even occurred in the first place.
In the haste to fix this problem, they created another. As of tonight, I can no longer choose to restrict things from the Limited Profile group, which Facebook has had since I joined in early 2007. Another ‘oops’ from Facebook, it seems.