Student Discovers Security Flaw In Facebook New Year App

Jack Jenkins found and disclosed the bug, but didn’t even get a “thank you” in return

Facebook was forced to temporarily shut down the virtual greeting service it launched in the run up to New Year celebrations, after a British IT student discovered that it contained a serious security flaw.

It turned out that by simply manipulating the web address of a greeting, anyone could read private messages and see photos sent by Facebook users via the official Midnight Message Delivery app.

The bug was fixed in time for New Year, and the campaign went ahead as planned.

Season’s beatings

The Midnight Message Delivery app was designed to enable Facebook users to wish each other a happy New Year with a private message that would be delivered to their Facebook inbox at exactly midnight on December 31.

However, it turned out that changing the web address of any greeting allowed users to gain access to the messages sent by other people. The flaw was discovered by Jack Jenkins, a business IT student at Aberystwyth University in Wales.

“By simple manipulation of the ID at the end of the URL of a sent message on the Facebook Stories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself,” wrote Jenkins on his blog.

Using this approach, he was also able to delete other people’s holiday greetings. “I just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks,” added Jenkins.

The student reported the problem to Facebook, and later described it on his blog. However, when the world’s most popular social networking site didn’t respond, Jenkins decided to contact the media. Soon after a report in The Verge, the Midnight Message Delivery website was taken offline, and the flaw fixed.

“We are working on a fix for this issue now, and in the interim, we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed,” a Facebook spokesperson told The Guardian.

By Tuesday evening, Jenkins was still waiting for any kind of response from Facebook.

Since the feature was hosted on Facebook Stories and was not a part of the main website, no messages on the social network itself were compromised.

Facebook has recently updated its privacy settings, making it simpler for the users to decide who can have access to their content.

Are you an expert on Facebook? Take our quiz!