Facebook has filled a hole that allowed strangers to view members' photos through the mobile version of the site, a spokesman said Tuesday after being alerted to the problem by CNET News Monday night.
"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail. "Once we were notified of the issue, it was resolved within hours. These photos are no longer available to unauthorized users. We encourage security researchers examining Facebook to practice responsible disclosure."
Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user. Small photos could also be changed to display in a larger size. The vulnerability only could be exploited with Firefox browsers.
"This week's hole is as good as the March 2008 thing, but easier to do," said Byron Ng, a Vancouver, Canada-based computer technician who notified CNET News of the problem. "And it allows you to target anyone."
CNET News verified the hole before it was fixed and was able to see a private photo of Facebook Founder Mark Zuckerberg, among others.
Facebook had a similar problem with photos being exposed to strangers in March, and has suspended third-party apps that violated the privacy of users who downloaded them. To minimize the risk, the company will soon be launching a program to verify the security of the outside apps.