Skip to main content

Glitch in Facebook's 'Midnight Delivery' feature exposes private messages

Facebook's latest privacy snafu comes with New Year's greetings. The social network's "Midnight Delivery" feature was temporarily disabled as developers worked to fix a loophole that allowed crafty Internet hackers to see the private messages of others users.

Midnight Delivery was introduced last year and allowed people to send friends a message as 2012 turns into 2013. The vulnerability was exposed by IT student Jack Jenkins, who found he could access others' messages and photos by modifying the URL of his own messages.

"It is you may say a pretty harmless flaw," Jenkins wrote in a blog post. The messages in question displayed his profile picture, instead of the actual sender's, next to the message. The names of the recipients, however, were visible.

"It shouldn't be possible to do this, as these are not generic and are people's personal images," Jenkins said after stumbling across a father-son message and photo.

The issue has since been fixed, but not before Jenkins alerted the media. A Facebook spokesman told The Verge that it was "working on a fix" for the privacy slip-up. In the meantime, Facebook disabled the app on the Facebook Stories site "to ensure that no messages can be accessed."

As of about 7:00 EST (12:00 GMT) on 31 December, the Midnight Delivery option was again accessible, according to The Next Web.

Facebook did not immediately respond to requests for comment.

Facebook privacy again made headlines last week after the sister of CEO Mark Zuckerberg complained that a photo she posted to the social network wound up on Twitter. Turns out, the photo was made more publicly available because it tagged other people - opening it up to their friends. The whole situation elicited chuckles from those who were amused by the fact that even Mark Zuckerberg's sister, a former marketing executive at the social network, doesn't fully understand Facebook's privacy settings.