Modernizing Authentication — What It Takes to Transform Secure Access
Welsh student Jack Jenkins recently came across a significant vulnerability in Facebook's Midnight Delivery service, which was designed to send messages to friends at the stroke of midnight on New Year's Eve.
"By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages," Jenkins writes. "At least I was when I edited the ID for myself."
"The sender isn’t visible when you look at the sent message, but the intended recipient and the contents of the message are shown," writes The Inquisitr's Kyle Murphy. "The avatar that normally would display the sender’s image would then be replaced by the unexpected viewer’s image. Along with viewing the messages contents, the flaw also allows the hacker to delete the message if they wanted."
"While this may be considered to be a minor flaw in Facebook’s master plan to get everyone to communicate using its platform, one thing that shouldn’t be overlooked is the fact that this could be potentially embarrassing if not damaging for some individuals who use this for, let’s say, unorthodox purposes (yes, we know there are some users who do that type of stuff). ... As Facebook is interested in being the repository for everything that is happening in our lives, the apparent inability to secure New Year’s greetings puts a bit of a stain on the company’s privacy record," writes The Next Web's Ken Yeung.
"Facebook's Midnight Delivery tool was made available to the public again on Monday morning," International Business Times reports.