Facebook had it planned for the New year, but the witless code running behind to make it happen seems have revolted. The Midnight Deliveries feature Facebook planned to amaze its users with have been discovered with a serious privacy flaw.
Facebook introduced the Midnight Deliveries feature last week targeting the New Year. This feature would take messages from the sender and will deliver the messages to the recipients as the clock strikes midnight on New Year’s eve.
The feature was accessible (now under maintenance mode) through the URL FacebookStories.com/MidnightDelivery. When a message is saved for sending the system returns a URL in the format
http://www.facebookstories.com/ midnightdelivery/confirmation?id=XXXXX
The sender can see the message by accessing this URL. The issue is, by changing the digits under the “id” tag anyone logged into Facebook can see messages sent by other users; the name of the original sender is replaced by the name of the logged in user, and he/she is granted full access to the message. That means, anyone can modify the message, and even delete the message. However, this flaw can’t be used to target specific Facebook users.
This flaw was first made public by a student named Jack Jenkins in his blog. Later on, the story was picked up and confirmed by major tech news sites.
Facebook has also took the issue seriously, and currently trying to fix the issue. If you visit the Midnight Deliveries site, you will see the following message now.
Source: TheVerge
[ttjad keyword=”hot”]