FACEBOOK was forced to disable its Midnight Message Delivery app after a Welsh student discovered a flaw that made it possible to read other people's messages.
Facebook's Midnight Message Delivery app lets members of the social network write private messages to their friends and family that were to be delivered at midnight tonight.
However, Jack Jenkins, a student at Aberystwyth University, found that a small change to a web address made it possible to read and delete other people's private messages and photos.
Writing on his website, Jenkins said: "I don’t know how a site like Facebook can continue to take these kinds of risks."
He said that the messages he had accessed did not tend to include personal material or identify the original sender of the message but it was possible to see the name of the message recipient. In some cases he had been able to see photographs that members had shared.
Jenkins added that the way the service was set up made it appear that all the messages he could access were displayed as if he had written them.
Jenkins contacted Facebook about the flaw. The social network briefly disabled the Midnight Message Delivery app to fix the problem. Facebook later confirmed that the messaging tool was working again.
The New Year's Eve app is part of Facebook Stories, which is separate from the main Facebook network. No messages sent on Facebook itself were affected by the flaw.
The picture, which showed the Zuckerberg family playing with Facebook's new Poke application for the iPhone, was seen by an American journalist who assumed it was public and shared it with her friends.
Ms Zuckerberg complained that sharing the photo was "way uncool".
Earlier this month Facebook published new privacy settings that it said offered "better clarity and control" over the material shared on the social network.