Facebook was forced to temporarily disable its Midnight Message service today, after an IT student uncovered a security flaw.
The Midnight Delivery app, which is part of the Facebook Stories site, allows users to send a message to their pals across the globe and have it appear when the clock strikes 12am on January 1.
However, when testing the messaging app, British IT student Jack Jenkins found that he was able to access messages and photos sent by other users, simply by modifying the URL of his own messages.
The new messages displayed his personal profile picture, but the content of the messages, photos from other users, as well as the names of the recipients.
Writing on his personal blog, Jenkins said he was able to view an image of a father and son (people that he did not know) and even delete messages that had been sent.
Jenkins, who studies at Aberystwyth University, posted: "It shouldn't be possible to do this, as these are not generic and are people's personal images.
"A very bad part of it all is I think that you can actually delete other people's messages, which I have tested for myself on a single message as I thought that it would say access denied."
The flaw did not expose regular Facebook Inbox messages, only those which had been sent through the Midnight Delivery app, but this is still a pretty serious lapse.
The social network said it was "working on a fix," but in the meantime disabled the app to ensure more messages could not be exposed.
It was available for use again as of noon in the UK (7am EST) on New Year's Eve.
Via The Next Web