Published December 06, 2011
A surprising security hole in Facebook allows almost anyone to see pictures marked as private, an online forum revealed late Monday.
Even pictures supposedly kept hidden from uninvited eyes by Facebook’s privacy controls aren’t safe, reported one user of a popular bodybuilding forum in a post entitled “I teach you how to view private Facebook photos.”
Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn’t long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself -- evidence that the hack worked, he said.
"The bug allowed anyone to view a limited number of another user's most recently uploaded photos irrespective of the privacy settings for these photos," Facebook said in a statement. "Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."
The issue stems from the site’s own reporting system, which Facebook has designed to give users power to police each other.
In this case, after a user reports another for “nudity and pornography” in their profile picture, Facebook presents them with the further option of “selecting additional photos to include with your report.”
If a user chooses to continue, Facebook provides them with an album of additional photos to discern. In FoxNews.com tests, this function consistently revealed private pictures, which the user can then resize and enlarge by adjusting bits of code.
Last week Facebook settled with the Federal Trade Commission for allegedly exposing details about users' lives without getting legally required consent. In some cases, the FTC charged, Facebook allowed potentially sensitive details to be passed along to advertisers and software developers prowling for customers.
To avoid further legal wrangling, Facebook agreed to submit to government audits of its privacy practices every other year for the next two decades. The company committed to getting explicit approval from its users -- a process known as "opting in" -- before changing their privacy controls.