Facebook has since restored the service
Facebook has managed to suffer one more privacy hiccup before the year's end.
On Monday morning, the social network temporarily disabled its New Year's message tool — a feature allowing users to send good tidings to each other at the stroke of midnight — after a British blogger found a security breach in the system's code, exposing private messages publicly.
It restored the service early Monday morning.
Jack Jenkins, a technology student at Aberystwyth University in Wales, discovered that tweaking a URL address allowed him to see messages and photos sent by strangers using the "Midnight Message Delivery" app.
Jenkins posted his finding on his blog, saying he was able to view a personal New Year's message and private family photo sent by a stranger to another named Facebook user.
"I just wanted to share this. I don't know how a site like Facebook can continue to take these kinds of risks," he wrote "PLEASE Don't go deleting random messages, but try and delete one of mine that I set up especially if you want."
The loophole allows users to type random numbers at the end of a URL and if the numbers corresponded with an actual note, it will be visible. For example, replace the Xs with the correct combination of numbers, and the message will appear: http://www.facebookstories.com/midnightdelivery/confirmation?id=XXXXX
In a statement to the Next Web, Facebook said it had temporarily taken down the app while they patch the security hole.
Facebook did not immediately respond to requests from TheWrap for comment.