The sleuths over at ZDNet discovered a flaw in Facebook's profile security earlier today that permitted anyone to access private photos - i.e., the photos you likely don't share with most people - on accounts due to a flaw in the Report/Block function listed on every profile page.
ZDNet describes how it worked:
Users are able to report “inappropriate profile photos” on a user’s profile. By checking the box ”nudity or pornography,” the user is granted an opportunity to help Facebook “take action by selecting additional photos to include with your report.” Facebook will then display a number of additional photos that are not otherwise publicly available to the user. ... This flaw appears to expose private photos of any person on Facebook. We tried this out for ourselves: Sometimes, private photos were exposed; others times they weren’t.
It's frighteningly easy, but it does require you to report someone for "nudity and pornography." The folks at ZDNet demonstrated the flaw by accessing Facebook CEO Mark Zuckerberg's account and viewing his personal photos (spoiler alert: it worked). They go on to detail some more of the limitations or uncertainties in exploiting this flaw but at this point it's all moot because the flaw in the Report/Block option appears to be fixed. Facebook issued the following statement to CNET regarding the bug:
Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously.
The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one’s photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.
I can confirm Facebook's solution because I tried to duplicate ZDNet's softcore hack on Zuckerberg's account and it didn't work so if you're reading this Mr. Zuckerberg, I apologize for reporting you for "nudity or pornography" and hope you will understand the action was taken only under the cause of investigative journalism.
Unsure if this was a Facebook-wide fix or if Zuckerberg got priority and the rest of us would be tended to later, I attempted to access the photos behind the privacy setting of a couple of my Facebook friends but, alas, it was a fruitless endeavor. As far as I can tell, while in the process of a report, a user would reach this window in the second step:
However, contrary to ZDNet's instruction on how to access the private photos, the option to assist Facebook and "take action by selecting additional photos to include with your report" is no longer an option. You just simply submit the report and the window closes. So, as with Mark Zuckerburg, I apologize to any of my friends who might get some Facebook admin heat because I reported you in an attempt to see if this bug was fixed.