British student Jack Jenkins detected a serious security flaw in the Facebook New Year app and reported it to the social media network but has still failed to get a thank you for his efforts to protect the privacy of Facebook users.
Facebook launched an app known as the Midnight Message Delivery app which had been put together by the social media network to allow any Facebook user to be able to post a Happy New Year message at exactly midnight to all their friends via their inbox.
A fault in this message delivery service was detected by British student Jack Jenkins who posted details about the flaw onto his own personal blog and alerted other Facebook users to the potential problems that the service had to privacy levels. He then let Facebook know about the problem.
On his blog he wrote: “Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.
“Facebook however have not been very security consious [sic] when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself.”
The problem allowed other people to be able to see not only generic messages sent out at midnight but also private message that may include photographs or private information.
Jack Jenkins also found that anyone manipulating the service may also be able to delete messages.
He wrote: “A very bad part of it all is I think that you can actually DELETE other people’s messages, which I have tested for myself on a single message as I thought that it would say access denied.
“I just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks. PLEASE Don’t go deleting random messages, but try and delete one of mine that I set up especially if you want . And share this message with someone else who may be interested.”
After alerting users and Facebook to the problem the site then went down temporarily for maintenance work and when it came back online the problem had been resolved.
Jack Jenkins updated his blog post about the potentially very damaging bug within Facebook by letting readers know that Facebook had still not been in contact with him personally regarding the problem and there was still no sign of a thank you from the social media giants for help in putting right what could have been a very serious problem for the network.