Facebook flaw allows access to private photos

Facebook flaw allows access to private photos

Summary: A flaw in Facebook allows users to access private photos that are hidden from view, through no less than the social network's own image reporting tool.


Update: Facebook acknowledges the flaw, and fixes the bug.

'Report abuse' features in Facebook give users access to personal, private and hidden photos that would normally be hidden from view.

The flaw, spotted by members of a body building forum, no less, allows Facebook users to access photos revealed by the report abuse tool.

Only a handful of images are presented to the user as part of the 'report' feature, which is used by Facebook to maintain decency and remove harmful images, posts or content.

Here's how it works:

Users are able to report "inappropriate profile photos" on a user's profile. By checking the box "nudity or pornography," the user is granted an opportunity to help Facebook "take action by selecting additional photos to include with your report."  Facebook will then display a number of additional photos that are not otherwise publicly available to the user.

Photos (such as the one below) were taken directly from Mark Zuckerberg's private photo collection on his profile and posted. Ed note: We debated the photo selection and whether to run one at all. We initially posted the Obama-Zuckerberg and then went with a dinner party. We flipped back to the picture with the most public figures. Ultimately, we decided running the picture made sense.

(Source: "Mark Zuckerberg", Facebook)

This flaw appears to expose private photos of any person on Facebook. We tried this out for ourselves: Sometimes,  private photos were exposed; others times they weren't.

Members of the forum also posted onto an image sharing website some of of Zuckerberg's private Facebook photos, which are normally inaccessible from public viewing.

The forum explored a number of the flaw's details. For example, private photos that are hidden or inaccessible to people who are friends, can not only be accessed but can be enlarged to their full scale.

Some browsers restrict this flaw.

One thing to note: Exploiting this flaw requires reporting a Facebook member.

But this flaw is open for anyone to use -- and abuse. While Facebook anonymises the data that it gets through this reporting tool, the user whose profile pictures can be viewed will  not know that their privacy has been invaded.

Update: Facebook issued this statement a short time ago:

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously.

The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

Facebook added that the privacy of our user's data is a top priority for the company, and Facebook invests lots of resources in protecting our site and the people who use it.


Topic: Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook flaw allows access to private photos

    I've never uploaded any pictures other than my profile one (I link to external galleries on more trusted services), and certainly wouldn't leave trust anything remotely private to FB.
  • What else is new?

    So much for FB privacy improvements and settling of complaints against them!!!!!

    So much for the saying "keep your enemies closer"?? When they can file a false complaint to gain access to your private photos,etc.. anyhow??

    • RE: Facebook flaw allows access to private photos

      In case you didn't knew, posting private matters is the whole purpose of facebook :-p When you don't want that, don't sign up.
  • AND....

    I never post photos of myself or family on FB..

    Every time I am asked by a friend to post a recent photo of my kids my answer is always "I do not trust FB or any other sites privacy settings" and I send the photos to his or her personal e-mail or phone directly !!!
    • RE: Facebook flaw allows access to private photos

      @jasonemmg Unless you encrypt the images, email is completely public when in transit.
  • RE: Facebook flaw allows access to private photos

    BWAHAHAHAHA. Keep those facebroke pages rolling folks!
  • RE: Facebook flaw allows access to private photos

    That is a White House photo, from their flickr feed. How is it private?

  • RE: Facebook flaw allows access to private photos

    Facebook is so stuffy about photos. It is ridiculous to think that they would allow this to even happen, just for the purpose of censorship. I have seen the photos that people have complained about. It sickens me that people would "like" a page KNOWING it had adult humor on it. Only to report said page after somehow being offended. Facebook always caters to these prudes and deems ANYTHING someone whines about a "violation". Makes me sick. I wish there was a decent alternative to FB besides lame Twitter.
  • Facebook, schmacebook

    The name of the website sez it all. Face up. FB is not intended for privacy. [Sound of violins/] FB is meant for sharing [/end violins]
  • RE: Facebook flaw allows access to private photos

    Facebook is a cult. But the odd thing is that no-one else seems to have noticed that Zuck's own presentations are all backed by that hexagon style symbol. It's always up on the screen whenever the poisonous anointed one speaks and he's even got it inside his hoodie! We're talking demonic, secret society style stuff here. All that's missing is the blood, horned creatures and chanting. Oh, they do the chanting already!

    Facebook is a force for really bad things, not least allowing the many tentacles of so-called 'authority' to pry even further into our lives. This photo thing almost exactly mirrors the policies of the Stasi, where ordinary citizens were encouraged to report on others. It's insidious.
    Graham Ellison
    • RE: Facebook flaw allows access to private photos

      @Graham Ellison How's your tinfoil hat fitting lately?
  • In the Words of Zuckerberg himself...

    You are a "dumb f%#k" to submit your personal information to my site (Facebook). -- Zuckerberg
  • Anuradha Vats

    I have already seen your outstanding collections. Hats off to you mate for sharing this. Do one more favour man, share it at cartcentric.com for getting extra benefits!!!!!!!!!!!!!!!!!
    Anuradha Vats
  • Anuradha Vats

    This is really ultimate.Thanks for sharing this informative post man. Inorder to make your photos public and share it globally join cartcentric.com.
    Anuradha Vats