A hole in Facebook's account-reporting process potentially lets any user sneak a peek at someone else's private photos.
The process--outlined at a body-building site--requires you first to report or block that individual's Facebook account. From there, clicking on the option "Inappropriate photo profile" moves you to the next screen where you're asked why you find the photo inappropriate.
Clicking on the option to report the photo to Facebook then brings you to another window that says: "Help us take action by reporting additional photos to include with your report." Clicking on that last option reportedly reveals a page of thumbnail photos from or of that person, some of which could be private.
Comments to the body-builder's post claimed that the process worked for some people but not for others, at least as far as revealing private photos. Some said that the flaw is blocked in some browsers but not in other.
Our sister site ZDNet also found that the Facebook photo-hacking technique sometimes worked and sometimes didn't, although it apparently revealed at least some photos more often than not. In its testing, ZDNet was able to access a private photo of Facebook founder Mark Zuckerberg.
The average person might find this hack more trouble than it's worth, since it requires you to go through the hassle of reporting or blocking someone just on the off chance that you may see some personal photos. But it still raises valid privacy concerns, especially since it opens a way for dedicated--or obsessed--Internet stalkers to pry into the "private" photos of their targets.
Confirming the photo flaw, a Facebook spokesperson sent CNET the following statement today:
"Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously. The bug allowed anyone to view a limited number of another user's most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed."
Updated 11:15 a.m. PT with response from Facebook.