Facebook bug allows users to access private photos

A bug tied to Facebook's "Report/Block" process can be misused to access uploaded photos of people who have chosen not to share them publicly. Facebook is well known for its coarse-grained privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.

facebook-bug1.jpg

To access the photos, users must:

  • Locate the person they wish to target
  • Click on the "Report/Block" button.
  • Choose "Inappropriate Profile photo", click "Continue"
  • Select the "Nudity or pornography" option, click "Continue"
  • Only check "Report to Facebook", click "Continue"
  • Only select "Help us take action by selecting additional photos to include with your report", click "Okay", which makes Facebook show additional photos of the target - photos that have previously been hidden from view.

Facebook has been notified of the flaw and is currently investigating the matter, but it's already too late for Facebook's CEO "Mark Zuckerberg" - someone used the trick on his profile and has harvested and made public a number of his private photos.

References :

http://www.net-security.org/secworld.php?id=12059
http://techcrunch.com/2009/03/20/facebook-bug-reveals-private-photos-wall-posts/