Skip to main content

Facebook closes loophole that exposes private photos

facebook eye
Image used with permission by copyright holder

Facebook has disabled parts of it abuse report system that allowed users’ private photos to be viewed by anyone.

The problem, according to a Facebook spokesperson, was due to recent changes to its abuse report system, which allowed any user to flag a number of photos in another user’s album that he or she deemed “inappropriate,” even if the user filing the abuse report was not friends with the user with the private photos.

Recommended Videos

“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously,” said a Facebook spokesperson, in an email to Digital Trends. “The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos.  This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.”

facebook-zuckerberg-chickenThe loophole was originally uncovered on the forum of BodyBuilding.com, by user ThePoz, a 6-foot 5-inch 205-pounder from Syracuse, New York.

The patch did not come quickly enough for at least one user, however: Facebook co-founder Mark Zuckerberg. Thanks to some security wall-jumping sleuths at Hacker News and Reddit (where the BodyBuilding.com thread was posted and made widely visible), a number of Zuckerberg’s personal photos are now rapidly making their way around the Web.

Prior to its closing, the loophole worked like this: Go to the photos page of a user who is not your friend. Click on the “Report/Block” tab, and select “Inappropriate Profile photo.” After going through a number of pop-up windows, users who select to “Help us take action by selecting additional photos to include with your report,” were then allowed to pick other photos from that user’s albums. A little clever copy/paste of an image’s URL, and voila, private photos for all to see.

This is only the latest privacy flub Facebook has had to deal with since its launch in 2006. Just last week, Facebook settled with the Federal Trade Commission, which had accused the popular social network of engaging in “unfair and deceptive” privacy practices. The terms of the settlement require Facebook to receive explicit consent from users before changing any privacy settings, and to subject itself to independent audits of its privacy system for the next 20 years.

Because of this scrutiny, Facebook was quick to reiterate its commitment to user privacy, and it’s ability to keep private user data safe.

“The privacy of our user’s data is a top priority for us, and we invest lots of resources in protecting our site and the people who use it,” said Facebook’s spokesperson. “We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program, we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.”

Topics
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more
Here’s how to delete your YouTube account on any device
How to delete your YouTube account

Wanting to get out of the YouTube business? If you want to delete your YouTube account, all you need to do is go to your YouTube Studio page, go to the Advanced Settings, and follow the section that will guide you to permanently delete your account. If you need help with these steps, or want to do so on a platform that isn't your computer, you can follow the steps below.

Note that the following steps will delete your YouTube channel, not your associated Google account.

Read more
How to download Instagram photos for free
Instagram app running on the Samsung Galaxy Z Flip 5.

Instagram is amazing, and many of us use it as a record of our lives — uploading the best bits of our trips, adventures, and notable moments. But sometimes you can lose the original files of those moments, leaving the Instagram copy as the only available one . While you may be happy to leave it up there, it's a lot more convenient to have another version of it downloaded onto your phone or computer. While downloading directly from Instagram can be tricky, there are ways around it. Here are a few easy ways to download Instagram photos.

Read more