Facebook privacy flaw exposes founder Mark Zuckerberg’s own private photos
A FLAW in Facebook has granted prying users access to supposedly private photographs, including those of the website’s chief executive, Mark Zuckerberg.
Step-by-step instructions for how to circumvent Facebook’s privacy systems have been circulating online for more than two weeks.
The method, which was blocked on Tuesday, involved exploiting systems meant to stop users posting explicit material on the web's largest social network.
After reporting a public profile picture as inappropriate because of “nudity or pornography”, intruders were offered the chance to report more photographs posted by the same user. Facebook then presented them with a thumbnail gallery of private images which could be enlarged by making a simple change in the browser address bar and downloaded.
The flaw was originally publicised on a body building forum last month.
"Facebook could take action on your account should this be abused," the original poster wrote. "I urge you to use on a dummy account if you care about keeping your Facebook profile active."
It was verified today by experts on Hacker News, a widely-read software development website.
"If that doesn't prove that [Facebook's] developers aren't thinking about security, I don't know what would," said one developer. "Nobody who is in a culture of protecting security would even consider building this."
A Facebook spokesman said: "We discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously".
"The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos," he added. "Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."
"The privacy of our user's data is a top priority for us, and we invest lots of resources in protecting our site and the people who use it."
Using the method, the website's users raided Mark Zuckerberg’s private albums and posted their contents on other websites.
The 27-year-old is shown in a series of candid shots with his girlfriend Priscilla Chan and his Hungarian sheepdog puppy, Beast. Mr Zuckerberg’s private photographs also include a picture of him holding an apparently live chicken by its legs; the young billionaire has said he only eats meat from animals he kills himself. Some of the photographs were already publicly available.
The 14 pictures were posted anonymously on an image sharing website under the heading "It's time to fix those security flaws Facebook".
As well as being potentially personally embarrassing for Mr Zuckerberg, the flaw has been exposed at an awkward time for the firm he co-founded at Harvard University.
Last week Facebook admitted “a bunch of mistakes” after American regulators accused it of “unfair and deceptive” privacy practices. The Federal Trade Commission investigated a series of controversies over sharing user data with advertisers, access to user data by third party apps and changes to privacy settings that made more user data public without warning.
In a blog post, Mr Zuckerberg said that “even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected”.
“It's important for people to think about this, and not one day goes by when I don't think about what it means for us to be the stewards of this community and their trust,” he added.
Facebook was forced to agreed to external inspections of its privacy systems and agree to fines of $16,000 per day for new violations. Mr Zuckerberg also pledged to protect users' information "better than any other company in the world".