Facebook says it has patched a security hole on its New Year's Eve messaging service after an IT student in the U.K. discovered he could easily see other people's private messages.
Student and blogger Jack Jenkins, found that he could view the messages simply by changing the ID number displayed in the message's confirmation URL. The messages would show up as if he were sending the note. He could read the text, see any attached photos, and even delete the message.
According to Jenkins' blog, Facebook took down the service a few hours after he blogged about the issue. Facebook confirmed earlier this morning that it took the app down. "We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed," a spokesperson said in an e-mail to CNET.
After Facebook revived the service, users can no longer view other messages by changing the ID number. This now sends a user back to his or her own New Year's messages. Users may be experiencing another bug that makes the app think New Year's Day has already passed in the U.S. At least one CNET writer on the East Coast reported seeing this error message:
Midnight on New Year's Eve has passed. Friends were able to wish each other a happy new year with a private message that was delivered to their Facebook inbox at exactly midnight on December 31.
We've contacted Facebook about this development and will update when we hear back.
What a way for Facebook to end 2012. The social network just rolled out its new privacy settings, which Internet privacy watchdogs promptly criticized. Last month, Facebook had to disable a loophole that might have allowed some accounts to be accessed without a password.