Facebook bug can make your private photos public

Nothing is ever 100% completely secure, let's get this settled from the off. Whatever security anybody or any company ever puts in place there's either some way to crack it, or some flaw in the system that will allow people to circumvent it. Thus it's not really a shouting a Facebook moment to discover that such a flaw has been found that allows people to see the private photos of others.
The flaw was first reported on the forums of BodyBuilding, presumably because the users of that website like taking photos of themselves and putting them online. The bug exploits the way the offensive photograph reporting tool works. I'm not going to detail it in too much detail here because I don't want to encourage anybody to try and view photographs that other people have made private as they obviously want them to be kept private. However the post does detail how the flaw works.
Facebook have said they are looking into the issue which revolves around being able to report more than just the single photo you can see. It's not a bug with the system but it is quite a substantial design flaw and, oddly, surprising that nobody has noticed it before.
Facebook has been heavily criticised in the last few years for matters of privacy and so there are people who will leap on this story as yet another example of how the company simply doesn't take its users privacy seriously. Such problems have included a change to the terms and conditions that made all your photographs and statuses Facebook's property and a settings change that made everything on everybody's profile accessible to search engines by default. Both times the change was quickly withdrawn.
ZDNet said...
Details of this flaw were examined in detail. While some browsers restrict this flaw, private photos that are hidden or inaccessible to people who are friends, can not only be accessed but enlarged to their full scale. This flaw is open for anyone to use — and abuse. While Facebook anonymises the reports that it gets through, the user whose profile pictures can be viewed will also not know that their privacy has been invaded.
There are real problems with privacy and the Internet, much of which seems to stem from people not understanding what the Internet really is and how it works. I have published a free Facebook Privacy Guide, though some settings have changed and the book needs a second edition when I get time. There's lots of advice in here though about how to keep yourself and your personal information safe and private when online, at least as safe and private as Humanly possible.
As is always the case with these things the best advice is not to put embarrassing pictures or messages online in the first place, or to remove them after they've been seen by close friends. Some companies are working on solutions including one ingenious one I'm looking forward to where a picture can be programmed to expire after a specified time. These types of technology will no doubt help all of us in the future.


I must admit I don’t mind the reminder.
I use that as a trigger for an annual review.
The week of their birthday I scan their contact details, LinkedIn, Facebook & Twitter to make sure I have all of their public contact information up to date.
That and also send them a quick message.
Pro Tip – I also have a script that on a daily basis will choose a contact at random for review.
Ross
You da man, Martin! Do you know how many people on Reddit shot me links and it wasn’t until your article here that I ever saw a page like “Contacts only?” Google really doesn’t want you to find this info! Lol!
They didn’t hide it… if you’ve only accessed the calender through Gmail from it’s tiny reminder notice interface, then you wouldn’t know how much more you can do with it. If you click the 9 boxes icon to access Google services, you can go to the full Calendar at any time and edit, add, change stuff at whim. Changes I make to the full calender get updated to my Android’s calender and vice versa with the only difference is having a full keyboard to type when I’m on my desktop/laptop is better than Swyping or poking contact and event information into the tiny calender APP.
Every comment has a point and absolutely right, Google tries really hard to hide their settings, it was last year were I stopped using Google services altogether but two gmail and photos. There was one point in time were I was going to change every account that was using gmail address, results it would’ve been more than just a headache and stuck with it.
Thanks for the Preview Martin
I turned off FB on my android phone. When I turned it back on, all of the birthdates appeared along with holidays, etc. I do not like this feature as it does not allow me to notice the appointments that I place on my calendar. please tell me how to delete. When I go onto calendar on my android, it does not have settings, so unable to delete or change calender . I don’t want notifications to appear when the birthdays are approaching, but I don’t want them to be on the calendar 24/7. HELP
Google’s built-in calendar lets you turn off birthdays from your circles, but it does NOT let you turn off the import of Google+ birthdays into your contacts. So if you have a contact with an email address that matches a Google+ profile then their birthday is forced onto your Birthdays calendar.
Obviously this is annoying as heck, so I built a replacement Birthdays calendar without this problem:
https://better-cal.appspot.com
Hello, I am desperate for help please.
I often list items for sale via facebook market place. One of my items out of 80 items on sale, was getting a strange amount of view. I had listed it before for about a year and it only ever reached a few hundred fews or so. This time it had reached about 19,000 views in one week, which was fake and abnormal. i was getting horrible pm’s from people on it, really nasty mocking my costume and myself.
I had to take the time down, reported everything to facebook they did not thing!
I then took it down for 3 weeks and have just put it back up and same thing is happening again. if I click the 3 little dots by the message it says leave group, but what group, it doesn’t tell me nor is there a link. I am n a few local buy sell groups or community groups, but how do I know which one it is?
any help how to stop this would be appreciated as somenoe said they think i’m being tagged in a group, but what group i don’t know, i’ts not nice.
It has been a long time so I can’t say for sure but I think you can prevent people from tagging you and last I knew it asks you if someone has tagged you and then you can decline it.
If Facebook doesn’t help you then its clear that they don’t care about you and you should maybe think at the very least about moving your sales elsewhere.
These short articles don’t worth the spent time of reading. I am very disappointed with them.
This article is
Martin Brinkmann
Mar 6, 2015
Updated • Sep 29, 2018
Facebook, Tutorials
In short, it was a topic of its time and may not be useful in today’s world.
Subscribers should pay attention to the “article creation and update dates”.
@owl, I beg your pardon, however I didn’t comment here this comment but in one of Emre Çitak. I see posts of mine in some other articles too with some old dates. I hope someone will fix this issue soon.
What is this? A sales pitch for Facebook?
Facebook is an untrustworthy organization and it’s apps are junk.
Go out and do something real. Like meet your neighbors and have a BBQ
Why anyone would want to share details of their private life on like is bewildering.
Must be all those endorphins one receives when someone likes a post.
@yanta,
I really like your comment!
Am I the only one seeing the ghacks article’s comment section mix-ups? Recent articles with commenting dated from years ago, on subjects having nothing to do with the article. This has been occurring now for a couple of weeks as far as I can tell.
Well I know what the word “META” means now in Hebrew. And it sure enough looks like it’s going down! Facebook is doing all it can to take away free speech. I can’t post anything that has got to do with the bible.
I can’t wait until they pull out of Android and make Messenger iOS only too while they are at it. Why do they hate poor people?
https://www.sammyfans.com/2023/08/24/messenger-lite-for-android-to-shut-down-in-september/
It’s odd how the “largest known covert digital influence operation” may not have been seen by any actual users.
“The campaign, which lasted over a year, garnered few, if any, eyeballs from real social media users, based on Meta’s analysis.”
https://www.politico.eu/article/china-behind-largest-ever-digital-influence-operation-says-meta/
Chinese accounts… even the reality is harder than expected. By the way, comments are still broken. Is there any intention to fix them? :S
Imagine paying for Facebook. If I were forced to pay for social media at gunpoint I’d easily pick Twitter despite its flaws.
You know even if it’s full of landmines from across the spectrum there are way more people my age. Doesn’t really matter what politics they have, they’re all my sisters and even if someone is at the complete opposite of me politically I’d still feel closer to them over the 50 and 60 somethings.
Even if we have different opinions are are all screwed the same and have more in common than we’d like to admit.
If they didn’t make it prohibitively expensive, then I would 100% pay for ad-free facebook. I’ve been wanting this since forever, just give us the choice to not see the frickin’ ads.
Glad I never got into social media.
Interesting article, however the unresolved issues here with the comments is very discouraging for us the readers. I haven’t found any explanation for this kind of problems by any responsible of this site, so I think this problem will last for some undefined time. Anyway, I will start soon my first job as forestal engineer so it’s probably that I will have not too much time to comment as before. Please keep on the good job with some interesting articles and fix the comments as soon as possible! :]
It would be more helpful if Facebook could just remove their entire website.
“Considering that only a minority of users is willing to pay for an ad-free experience, Meta would have to keep the regular versions for the rest of users.”
Just like the Be-spied-on “business model”, Pay-or-be-spied-on is still illegal under GDPR (*), even if it’s something that is encountered more and more often those times from many companies on the internet that do not respect the privacy laws and think they can comply instead with an unofficial version of those that they have written themselves. Which in practice is true because those laws are hardly applied, every judge and regulatory agency in Europe that has something to do with privacy laws crumbling under the bribes of Facebook and the like, and not even trying to do that quietly (see noyb dot eu). But there has to be a limit on how long they can delay justice against them.
“it is likely reduced, but it is unclear, if it is disabled entirely for paying users.”
What would be funny is if users end paying *and* being spied on, which would not be surprising from Facebook. After all how would one know what Facebook does ? They are already spying while it is illegal to do so, how would paying them deter them more from breaching our rights ? And it’s not like they are not known for being pathological liars as a company, too.
(*) https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=FR
” (42) […] Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
@Martin. In your first paragraph, ‘edge’, not ‘Edge’.
lmao, half of the captcha that shows up after submitting is hidden, so… I can’t submit. Classic.
Re: Sept 18, 2023 article, Ask Meta to delete or block your personal data from third-party sources for AI training
I tried the page a few days ago. I’m in the US and selected the option two. I input my personal info – the same used for my FB account – which I haven’t signed into for a year or more. I got the following response from Facebook, basically brushing me off:
“Hi,
Thank you for contacting us.
Based on the information provided, we were unable to process your request. To help us process your request, please provide examples or screenshots that show evidence of your personal information (for example, your name, address or phone number) in responses from Meta’s generative AI models. Once you provide this evidence, we would be happy to investigate further.
If you have any questions about how Meta uses information from our products and services, please see our Privacy Policy: https://www.facebook.com/privacy/policy
To learn more about generative AI, and our privacy work in this new space, you can review the information we have in Privacy Center: https://www.facebook.com/privacy/genai
Thanks,
Privacy Operations”
The page didn’t ask for any “information”. Maybe because I’m in the US, Facebook won’t do anything? Maybe the page coding is messed up? Maybe this only works if you provide proof of AI use of your PII? Maybe it’s all just sound and fury signifying nothing?
Today I tried again, but the captcha challenge is formatted so you can’t see all the photos and can’t scroll or enlarge the pop-up.
Not even half-baked, I’d say..
I must say, this development from Meta is intriguing! The idea of ad-free versions of Facebook and Instagram is a breath of fresh air, especially for users like me who have been increasingly bothered by the overwhelming ads on these platforms.
Living in the EU, I appreciate the GDPR regulations and the push for more privacy-focused options. However, I’ll be curious to see how Meta plans to monetize these ad-free versions. Will they be subscription-based? If so, what will the pricing model look like? Will there be additional features or benefits for subscribers?
While the prospect of a less cluttered and more private social media experience is enticing, it’s important that Meta maintains a balance between user privacy and revenue generation. Striking that balance will be key to the success of these ad-free versions.
I hope Meta also considers extending this option to users outside the EU in the future. It would be great to see such privacy-centric alternatives available globally.
Additionally, I recently came across an interesting tool called “Instagram Story Anonymous” at storysnooper.com, which allows users to view Instagram Stories anonymously. It’s another example of how privacy-conscious individuals are seeking alternatives to maintain their online privacy. It will be interesting to see if Meta’s ad-free versions address similar concerns.
Overall, I’m cautiously optimistic about this development and will be keeping a close eye on how it unfolds. What are your thoughts on this, fellow readers?