Today’s winning comment comes from our post about a Facebook security flaw that allowed people to access private photos – including some from Paris Hilton at the Emmys and others from Facebook founding CEO Mark Zuckerberg’s vacation in November of 2005. In an excellent example of crowdsourced fact checking and research, Mark Jaquith noted that “this flaw has been publicly known for weeks”. Wrote Mark: “Here is a tutorial, from late February (AP is reporting that the flaw was fixed, so hopefully this doesn’t still work.)”
Congratulations Mark, you’ve won a $30 Amazon voucher – courtesy of our competition sponsors AdaptiveBlue and their Netflix Queue Widget.
Here is Mark’s full comment, followed by an extra comment he left verifying that Facebook has now fixed the error:
“This flaw has been publicly known for weeks (which I report as an example of how poorly Facebook takes user privacy, not as a correction to your story). Really crazy. They weren’t checking user permissions for photo pages. If you could guess the ID of a photo, you could view that photo. Worse, they gave you ways to determine the ID of a recent photo. And once you viewed a private photo in the album, the previous/next links worked, showing you the rest of the private photos in that album!
Here is a tutorial, from late February (AP is reporting that the flaw was fixed, so hopefully this doesn’t still work.)”
Comment 2 by Mark:
“Verified that they fixed it:
“The page you requested can not be displayed right now. It may be temporarily unavailable, the link you clicked on may have expired, or you may not have permission to view this page.”
BUT you can still see private photos in which you are tagged, even if you were omitted from the permissions list. I created a new album on my wife’s account, and blocked all her networks, and all her friends except one (not me). I added one picture of me, then tagged myself in it. On my account, it announced the photo to me with a thumbnail and I was able to view it. At no time did it warn me (on her account) that by tagging the photo I was expanding the permissions on that photo. Not a huge flaw, but still — if people are going to trust these privacy settings, they need to be bulletproof.”