Editor’s Note: The following article is reprinted from the Today @ PC World blog at PCWorld.com.


A flaw in Facebook’s system for reporting objectionable photos on the website was exploited to view confidential images from its members’ accounts. The exploit has already been used to snatch photos from Facebook founder Mark Zuckerberg’s private photo collection which has been posted to Web.


Mark Zuckerberg’s private pictures were exposed through a security hole his company scrambled to fix Tuesday.

The flaw, which was first revealed at a body-building website, allows a person to access some of a member’s photos, including private ones, by choosing to block or report the member for having an inappropriate profile picture. At the end of that process, Facebook will display photos from the member that are not ordinarily publicly available for viewing. If the member being reported is a “friend,” photos can not only be accessed, but enlarged to full scale.


In the posting at the body-building site, its author warns anyone inclined to try the exploit not to use their own Facebook account because it could get suspended. “I urge you to use [the exploit] on a dummy account if you care about keeping your Facebook profile active,” the poster advised.


The report abuse feature of Facebook is a self-policing mechanism. It allows members to block communication from people who are annoying or bullying them and flag inappropriate profile pictures—nude or obscene shots, for instance—or fake accounts.


Example of the security hole in action


Facebook is looking into the exploit and has released the statement:



Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously. The bug allowed anyone to view a limited number of another user’s most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.


The privacy of our user’s data is a top priority for us, and we invest significant resources in protecting our site and the people who use it. We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program (http://www.facebook.com/whitehat/ ), we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.


Another more pernicious flaw in Facebook was discovered in October by a security researcher. That vulnerability allows messages with attachments to be sent to any member of the social network. Such attachments could potentially contain malicious software.