Facebook’s newest service lets you schedule a private greeting for your friends that will be delivered exactly on midnight, sparing you the choir of deciding on an acceptable timeframe before or after the New Year. The app is fairly straight-forward, but it appears that it launched with a rather inconvenient and undocumented feature.
A blogger by the name of Jack Jenkins discovered a loophole that allowed anyone with the URL to a Midnight Deliver confirmation message view the recipients and the greeting itself, which they could also delete. Facebook quickly pulled the plug on the service after the bug was picked up by The Verge, and has since resolved the issue.
Some more background:
“When a user successfully submits a message to be sent to their friends, he or she will be displayed a confirmation screen that displays a URL: http://www.facebookstories.com/midnightdelivery/confirmation?id=XXXXX. From here, anyone that’s curious can simply change the ID variable at the end of the web address and then view other messages left for people.”
This latest privacy scare is minor in comparison to what Facebook had to deal with almost continuously for the past few years. Most recently, a change to Instagram’s ToS set off a mini-exodus that the company quickly stopped by reverting the terms. The now removed edit mentioned the use of individuals pictures in ads, a feature that sounds incredibly similar to Facebook’s own Sponsored Stories.
The latter set Facebook back $20 million earlier this month when it settled a class-action suit accusing the social network of using members’ information without their consent. About half that sum was set aside for affected users, each eligible for a $10 reimbursement.