For the new year, Facebook posted a "Midnight Message Delivery" app for people to send notes when the clock struck 12. It was a cute idea, but the app was easily hacked.
A computer science student first discovered the security flaw. Jack Jenkins found that changing the message ID brings users to different messages intended to be private. For example, this message has a confirmation number at the end that can be changed easily: http://www.facebookstories.com/midnightdelivery/confirmation?id=76188.
Being able to read private messages was one issue; another was the ability to delete messages that people believed would be received.
Facebook has since disabled the app.
- How does such a security flaw affect Facebook's credibility? To what extent could this affect people's trust in future Facebook apps?
- In addition to disabling the app, should Facebook post a message about the flaw? If so, what should the company say?