A bug tied to Facebook’s “Report/Block” process can be misused to access uploaded photos of people who have chosen not to share them publicly, says a poster on the Bodybuilding.com forum.
To access the photos, users must:
1. Locate the person they wish to target
2. Click on the “Report/Block” button.
3. Choose “Inappropriate Profile photo”, click “Continue”
4. Select the “Nudity or pornography” option, click “Continue”
5. Only check “Report to Facebook”, click “Continue”
6. Only select “Help us take action by selecting additional photos to include with your report”, click “Okay”, which makes Facebook show additional photos of the target – photos that have previously been hidden from view.
According to the poster, users can also see the offered pictures in the original size by employing a couple of simple methods posted by other forum users.
He additionally notes that for some users the trick doesn’t work, but that success doesn’t seem to be tied to the type of browser they use. He warns, though, that users trying out this technique should use dummy accounts if they don’t want to lose their real Facebook profile.
He says that the flaw has been patched by Facebook, but ZDNet tried the trick and said it worked on a number of profiles.
Facebook has been notified of the flaw and is currently investigating the matter, but it’s already too late for Facebook’s CEO Mark Zuckerberg – someone used the trick on his profile and has harvested and made public a number of his private photos.