Facebook Fixes Complaint Feature Abused To Bypass Photo Privacy, Zuckerberg Among Victims

Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:33:12


Facebook patchFacebook has fixed a critical flaw in a user feedback feature that allowed any user to access private photos posted in other users accounts. Before it was fixed, the flaw was used to hack the account of Facebook CEO Mark Zuckerberg and post photos online.

The social network responded quickly after a post in a discussion forum on bodybuilding.com detailed a method for using a feature to report suspicious content to bypass privacy protections on other Facebook users’ accounts. The company issued a statement Tuesday afternoon saying the bug was created in a “recent code push” and was only available for a short period of time before it was patched.

“Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed,” Facebook said in an e-mail comment.

But not before the photo albums of Facebook CEO Mark Zuckerberg were compromised using the flaw. A total of thirteen photos from Zuckerberg’s account were downloaded on posted on the Web site imgur.com.

In its statement, Facebook said the privacy of users’ data “is a top priority for us, and we invest significant resources in protecting our site and the people who use it.”

The company recently settled a case with the U.S. Federal Trade Commission (FTC) that will require the company to be more forthcoming about how it protects the privacy of photos and other personal information its users post. The company will also have to submit to privacy audits every two years.

In recent months, the social network has made efforts to improve its image on security and privacy. It announced a bug bounty in August 2011 and has taken pains to make its security process more transparent.

“We hire the most qualified and highly-skilled engineers and security professionals at Facebook…we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone,” the company said in a statement.