Facebook fixes flaw that allowed access to private photos

Graham Cluley
Graham Cluley
@[email protected]

Artist's impression of Mark Zuckberg and friendIn the end, it took a picture of Mark Zuckerberg holding a dead chicken to get Facebook to fix a flaw that allowed strangers to access your private photos.

In an astonishing faux pas, the social networking site allowed users to have access to other users’ personal and private photographs that would normally be hidden from view – by taking advantage of a flaw in the “Report inappropriate profile photo” feature.

The flaw worked like this. If you’re a Facebook user , you can report other users’ profile pictures as being “inappropriate”. For instance, you can say that they contain “nudity or pornography”.

However, Facebook then gives an opportunity to select “additional photos to include with your report” and displays a selection of photographs – which may not be shared publicly.

Sign up to our free newsletter.
Security news, advice, and tips.

The flaw was highlighted on a body building message forum (yes, really..) but really got the world’s attention when someone posted thirteen private photos from the Facebook account of Mark Zuckerberg.

In many ways it’s good that Zuckerberg’s account was targeted – if such a high profile figure hadn’t fallen victim, the flaw might have continued to have been exploited for much longer opening up opportunities for stalkers and others to view private photos.

So, how did this happen? Well, I think a clue can be found in a brief shot seen in last weekend’s BBC documentary about Facebook.

Move Fast and Break Things - poster at Facebook HQ

“Move fast and break things”. That’s a poster on the wall at Facebook’s HQ, and is the company’s internal motto.

You’ll notice the poster doesn’t say “Privacy matters”.

In other words, Facebook’s programmers are experimenting with new features and are testing them out on the live site without, in this case at least, the code being properly reviewed with privacy in mind.

The good news is that Facebook responded quickly once the problem made the tech headlines and the ability to report additional photos (and thus inadvertently see users’ private photos) is currently withdrawn.

Facebook issued a statement to the media about the flaw:

"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously."

"The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one's photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

It’s good that Facebook has fixed the flaw, as it impacted the privacy of users (including its CEO), but it should never have happened in the first place.

Journalist Helen Lewis-Hasteley was inspired by the incident to half-jokingly suggest that everyone should change their avatar picture to encourage Facebook to take privacy more seriously:


Maybe that’s not such a bad idea.

Facebook needs to stop making mistakes when it comes to its members’ privacy. Once users’ trust is broken, it will be very hard to restore.

If you’re on Facebook and want to stay informed about the latest scams, worms and privacy issues join the Sophos page on Facebook. You’ll find over 150,000 people there, regularly sharing information on threats and discussing the latest security news.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.