Facebook flaw allows access to private photos

A flaw in Facebook allows users to access private photos that are hidden from view, through no less than the social network's own image reporting tool.
Written by Zack Whittaker, Contributor

Update: Facebook acknowledges the flaw, and fixes the bug.

'Report abuse' features in Facebook give users access to personal, private and hidden photos that would normally be hidden from view.

The flaw, spotted by members of a body building forum, no less, allows Facebook users to access photos revealed by the report abuse tool.

Only a handful of images are presented to the user as part of the 'report' feature, which is used by Facebook to maintain decency and remove harmful images, posts or content.

Here's how it works:

Users are able to report "inappropriate profile photos" on a user's profile. By checking the box "nudity or pornography," the user is granted an opportunity to help Facebook "take action by selecting additional photos to include with your report."  Facebook will then display a number of additional photos that are not otherwise publicly available to the user.

Photos (such as the one below) were taken directly from Mark Zuckerberg's private photo collection on his profile and posted. Ed note: We debated the photo selection and whether to run one at all. We initially posted the Obama-Zuckerberg and then went with a dinner party. We flipped back to the picture with the most public figures. Ultimately, we decided running the picture made sense.

(Source: "Mark Zuckerberg", Facebook)

This flaw appears to expose private photos of any person on Facebook. We tried this out for ourselves: Sometimes,  private photos were exposed; others times they weren't.

Members of the forum also posted onto an image sharing website some of of Zuckerberg's private Facebook photos, which are normally inaccessible from public viewing.

The forum explored a number of the flaw's details. For example, private photos that are hidden or inaccessible to people who are friends, can not only be accessed but can be enlarged to their full scale.

Some browsers restrict this flaw.

One thing to note: Exploiting this flaw requires reporting a Facebook member.

But this flaw is open for anyone to use -- and abuse. While Facebook anonymises the data that it gets through this reporting tool, the user whose profile pictures can be viewed will  not know that their privacy has been invaded.

Update: Facebook issued this statement a short time ago:

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously.

The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

Facebook added that the privacy of our user's data is a top priority for the company, and Facebook invests lots of resources in protecting our site and the people who use it.


Editorial standards