A flaw in Facebook’s image reporting tool allows users to view the private photos of other users, including those of Facebook founder Mark Zuckerberg — like the one at the top of this story.
The flaw was found by members of a bodybuilding forum, who discovered that if they reported a public Facebook photo for abuse – using the tool that Facebook offers to report nudity or pornography – they could access other nonpublic photos for the same user they’re reporting, according to ZDNET.
Facebook’s tool asks the reporting user to help Facebook “take action by selecting additional photos to include with your report” then displays a handful of other private photos belonging to the individual that’s being reported. The person reporting the abuse, can then rifle through the user’s other images.
Members of the bodybuilder forum used the flaw to peruse the images of women they found attractive. They then targeted Zuckerberg and began viewing his private photos, and posted some of them to an image site.
Facebook told ZDNET it’s investigating.
The FTC recently slapped Facebook’s hand for deceiving users into thinking that their information would be kept private, although it was “repeatedly” shared with the public.
The deal, which carries no financial penalties, demands that the social-networking site obtain “express consent” of their 850 million users before their information “is shared beyond the privacy settings they have established.”
UPDATE 12:00PM PST: A Facebook spokesperson has issued a statement saying that the bug has been fixed. The bug was “discovered in one of our reporting flows” that allowed users to report multiple instances of inappropriate content. The code was live “for a limited period of time” and affected an unspecified limited number of users before being fixed.