Facebook Fixes Privacy Flaw

Zuckerberg's photos, including pictures of the CEO and his girlfriend, Priscilla Chan, brought the bug to the attention of the media on Tuesday. The pictures apparently appeared first on a bodybuilding web site, where members reported Nov.27 that they were able to see the private photos of others without permission.

To circumvent a Facebook member's security settings, a person had to first report that the member's profile picture contained nudity, pornography or some other inappropriate image. As part of the process, the reporter was given the option to add photos by providing access to photos listed as private.

Facebook shut down the option feature soon after Zuckerberg's pictures appeared on the web. The company said in a statement that the flaw stemmed from the social network's more recent code update and that the bug existed for a "limited period." "Not all content was accessible, rather a small number of one's photos," Facebook said. "Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."

There's no indication that Facebook, which has more than 800 million users, knew of the flaw before Tuesday, so Zuckerberg's privacy breach had a silver lining. "In many ways it's good that Zuckerberg's account was targeted - if such a high profile figure hadn't fallen victim, the flaw might have continued to have been exploited for much longer opening up opportunities for stalkers and others to view private photos," Graham Cluley, a senior technology consultant at Sophos, said on the security vendor's blog.

Pointing out that Facebook's internal motto is "move fast and break things," Cluley believed the bug was a result of careless programming. "Facebook's programmers are experimenting with new features and are testing them out on the live site without, in this case at least, the code being properly reviewed with privacy in mind," he said.

The incident was an embarrassment for Facebook, which settled last week Federal Trade Commission charges of deceiving members about their ability to control privacy. The FTC said Facebook told users they could keep information private while allowing it to be shared and publicized. As part of an agreement with the FTC, the site promised to provide members clear notice of privacy options and to get consent from users before sharing information beyond what's allowed in members' privacy settings.

Following the FTC agreement, Zuckerberg acknowledged in the Facebook blog that the company had made "a bunch of mistakes."

"I'm committed to making Facebook the leader in transparency and control around privacy," he said.