Facebook fixes New Year's Eve message privacy flaw, report says

FILE - In this Feb. 11, 2011 photo, a Facebook page is seen on a computer in Montpelier, Vt. Following on the popularity of sites like Groupon, Facebook is launching its own daily deals program Tuesday, April 26, 2011 in five U.S. cities. The social network hopes to exploit the peer-to-peer aspect of group buying when it begins testing offers in San Diego, San Francisco, Austin, Atlanta and Dallas.
AP Photo/Toby Talbot

Facebook's New Year's Eve "Midnight Delivery" service reportedly went offline briefly on the cusp of its big night because of an apparent privacy flaw.

The social network's New Year's Eve message delivery service the lets users automatically send private messages to their friends at the stroke of midnight on Dec. 31.

According to The Next Web, a blogger named Jack Jenkins noticed a security loophole that let anyone with the confirmation URL string see people's private messages. For example, by typing in random numbers in place of the "Xs" below, a corresponding note appeared -- if the number was assigned.


"By simple manipulation of the ID at the end of the URL of a sent message on the Facebook Stories site, you are able to view other peoples Happy New Year messages," Jenkins wrote on his blog and posted screenshots of what appears to be other people's private messages. 

Jenkins could not see who sent the note, but could see the intended recipients. While viewing the private messages, he claimed that he could also delete the greetings. 

According to The Next Web, a Facebook spokesperson confirmed the privacy flaw and released this statement:

"We are working on a fix for this issue now, and in the interim we have disabled this app on the Facebook Stories site to ensure that no messages can be accessed."

The site was reportedly taken down briefly Monday and the security loophole apparently fixed.

Facebook did not immediately respond to CBS News' request for comment.