A week ago Facebook launched ‘Midnight Delivery Feature’ for its users to allow them send New Year wishes and deliver messages automatically at the stroke of midnight. But, the very feature is found to have a serious flaw that anyone can make use of to view and delete messages intended for other users.
Facebook Midnight Delivery Feature Flaw
A student blogger discovered a simple manipulation in the URL of the page could allow users to access messages written by completely unknown people – and even delete them. By simply changing the ID at the end of the URL of a sent message on the FacebookStories site, a user can view anyone’s Happy New Year messages!
What may bother Facebook users is that when they will enter a message to be delivered at midnight tonight, message recipients will be given a confirmation screen displaying a URL. The URL is the same for everyone, except for the six digit long code at the end. Obviously users with bad intentions can simply change the six digit code and access messages left by the users that they could read or delete.
Although such persons cannot see who the message has sent, they can surely view the names of the recipients of the message. This is a matter of concern for the social-networking giant since some of the messages could be private in nature and the service is meant to allow messages to be read by the intended recipients only.
A Facebook spokesperson confirmed to TheNextWeb that it is aware of the issue and working on a fix. One of its spokesperson said, “We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed.”
UPDATE: Facebook has restored the service!
