Security flaw In facebook exposes Your Message
To usher in the New Year, Facebook recently launched Midnight Deliveries, a feature that allows users to send private messages to their contacts that will be delivered to them at the stroke of midnight. But in a reported security slip-up, it was discovered that with simple manipulation of the URL, private messages could be viewed by anyone on the web.
In a blog post, IT student Jack Jenkins revealed how anyone logged on to Facebook could use simple manipulation techniques to view other users' messages and photos and even delete them. Jenkins wrote that if one changed the numbers in the URL generated after your message is sent out, you can view private messages sent by others with your profile picture next to it, as if you’ve sent it.
GET OUR TOP STORIES
FOLLOW THEHACKERSBLOG
What's worse, Jenkins realised that if you're able to see messages sent by others, you can delete them too. The IT student experimented by deleting a ‘1-1 message, to minimise disruption’ and documenting it with screenshots.
While it is practically impossible to find a message by a specific user in order to view or manipulate it thanks to the randomly generated string of numbers at the end of the URL, it is still possible to view messages by strangers. The Midnight Deliveries service will in all probability carry only generic wishes and even festive season photographs, but it is a serious slip up on Facebook’s part that allows private messages to become public. Facebook has not commented on the issue but the Midnight Deliveries site seems to be under maintenance now.
Facebook’s privacy flaws have been in the news since the past week after founder Mark Zuckerberg’s sister Randi found herself embroiled in controversy. The older Zuckerberg sibling was in for a surprise when she found a private picture of hers leaked on Twitter by a subscriber.
Zuckerberg chastised Callie Schweitzer, Vox Media’s Marketing Manager, for invading her privacy. The former marketing head of Facebook soon regained her control and graciously accepted Schweitzer’s apology saying, “I think you saw it [because] you're friends [with] my sister (tagged).Thanks for the apology.” The tweet has since been deleted, but Zuckerberg was clearly sore about the entire incident as she added, “I’m just sensitive to private photos becoming ‘news.’”
Zuckerberg signed off by blaming social networking users for lack of digital etiquette instead of obviously contemplating on what is wrong with the privacy settings of the website younger sibling Mark heads. A Twitter user named Anna (@girlvanized) pointedly told Zuckerberg, “ Instead of vilifying a subscriber for not reading your mind, maybe you should talk to your brother about recent FB changes.”
Facebook have implemented a new service to wish friends and family a Happy New Year, offering to deliver your message to them on the strike of midnight.
Facebook however have not been very security consious when setting this up. By simple manipulation of the ID at the end of the URL of a sent message on the FacebookStories site, you are able to view other peoples Happy New Year messages. At least I was when I edited the ID for myself.For example. I made this test one which you should be able to see saying “TEST TEST TEST TEST”:
If you manipulate the ID (http://www.facebookstories.com/midnightdelivery/confirmation?id=76188), you can view other people’s messages, just change the ID number up or down a few.It is you may say a pretty harmless flaw, as they tend to be generic messages and you can’t see who sent them (it shows your profile pic next to the message, as if you’ve sent it). However you can see the names of the recipients of the message.
Some messages do contain a photo, one such message I saw contained a photo of a father and their child, another a family photo, another was a personally written message with a photo such as this:
I don’t know who these people are, but you can see it puts my profile pic next to it, as if I have sent the message. It shouldn’t be possible to do this, as these are not generic and are people’s personal images.A very bad part of it all is I think that you can actually DELETE other people’s messages, which I have tested for myself on a single message as I thought that it would say access denied
Screenshot 1: 
Screenshot 2:
After I action the deletion, this URL is no longer reachable. Which may mean that I have deleted their message
Screenshot 3:
Screenshot 3:
Just an example of a mass message that I sawI just wanted to share this. I don’t know how a site like Facebook can continue to take these kinds of risks. PLEASE Don’t go deleting random messages, but try and delete one of mine that I set up especially if you want 
. And share this message with someone else who may be interested:
http://www.facebookstories.com/midnightdelivery/confirmation?id=76746
http://www.facebookstories.com/midnightdelivery/confirmation?id=76742
. And share this message with someone else who may be interested:http://www.facebookstories.com/midnightdelivery/confirmation?id=76746
http://www.facebookstories.com/midnightdelivery/confirmation?id=76742
Jack. https://twitter.com/Jackthewelshman
UPDATE 31/12/2012 05:25GMT – the site is currently down for maintenance, I sent it to Facebook too so I think they are working on it
UPDATE 31/12/2012 14:00GMT – Facebook still haven’t got back to me personally with any response. This is the reason that I contacted The Verge, to actually get some action taken
UPDATE 31/12/2012 14:35GMT – I have just checked, the bug / oversight has now been fixed. You can no longer access other people’s messages, by changing the confirmation message ID
Tweet Tweet to @TheHackersBlog Catch Us On Google+
◙ Stay Connect with Us:- Facebook § Twitter § Google+ § LinkedIn § YouTube § Email Us ◙ 
THE ARTICLE IN THIS POST IS FOR INFORMATIVE AND EDUCATIONAL PURPOSE ONLY..WE ARE NOT RESPONSIBLE FOR ANY TYPE OF USE BY YOU..FOR MORE INFORMATION OR FOR ANY QUERIES CONTACT US.
source:-network18
No comments:
Post a Comment