Midnight Message Delivery app suspended after a student was able to read private messages meant for other users
Facebook has quickly disabled its legal holiday Eve electronic messaging tool once a college student was able to scan and delete non-public messages meant for alternative users.
Jack Jenkins, a business IT student at Aberystwyth university, alerted Facebook to the privacy flaw once finding that atiny low tweak to an online address allowed him to look at messages and photos sent by strangers exploitation the new tool.
Facebook launched its time of day Message Delivery app as the way for users to send legal holiday Eve messages on the stroke of time of day on thirty one December.
Jenkins wrote on his web log however he was afraid once he was able to read a private legal holiday message and personal family photograph sent by a interloper to a different named Facebook user.
He wrote: "I simply wished to share this. i do not knowledge a web site like Facebook will still take these forms of risks. PLEASE do not go deleting random messages, however attempt to delete one among mine that I started particularly if you wish."
Jenkins same he discovered the vulnerabilty by tweaking the computer address of a confirmation page on the Facebook app.
He told the Guardian: "I was terribly stunned to search out that this had been unnoticed by Facebook, as it's such an easy security hole.
"I was even additional stunned to search out I might see photos and delete this twelvemonth want. It appears that Facebook treated of these messages as distinctive messages, on the other hand didn't link them to a novel person to form them non-public to them. i do not apprehend all the ins and outs of it, however it is a pretty massive factor for an organization to overlook."
Facebook right away disabled the feature once Jenkins revealed his blogpost.
It is understood that no messages sent on the Facebook {website|web web site} itself were visible because the time of day Message Delivery app existed on a separate Facebook Stories site.
A Facebook representative said: "We area unit performing on a fix for this issue currently, and within the interim we've disabled this app on the Facebook Stories web site to make sure that no messages may be accessed."
The blunder comes at Associate in Nursing wrong time for Facebook, simply days once founder Mark Zuckerberg's sister complained that her own privacy had been invaded once a non-public family photograph was shared wide by a United States of America journalist.
The picture – of Randi Zuckerberg's family's reaction to Facebook's new Poke app – popped up within the news feed of Callie missionary of communication Media WHO assumed it had been public and reposted it on Twitter, wherever it had been picked up by many distinguished technology blogs