The apparent result of flawed design, Facebook's flagging feature is to blame for allowing any user to view private photos contained in any account. The flaw affected everyone, including Facebook's very own CEO, Mark Zuckerberg. Facebook promptly disabled the flagging feature and has since fixed the issue.
A forum user from bodybuilding.com has been widely credited for exposing the flaw. As it turns out, no expertise was required to take advantage of the exploit. Here's how it worked:
First, find a user and report them for having an inappropriate profile picture. During the reporting process, Facebook would display that person's photos, completely disregarding their privacy settings. If this person was not on your friends list, you could only view scaled down photos. If this person was on your friends list already but had blocked you from seeing certain photos, you could view these pictures at their full resolution.
The issue was resolved shortly after Facebook released the following statement:
Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously. The bug allowed anyone to view a limited number of another user's most recently uploaded photos irrespective of the privacy settings for these photos. This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.
The privacy of our user's data is a top priority for us, and we invest significant resources in protecting our site and the people who use it. We hire the most qualified and highly-skilled engineers and security professionals at Facebook, and with the recent launch of our Security Bug Bounty Program (http://www.facebook.com/whitehat/ ), we continue to work with the industry to identify and resolve legitimate threats to help us keep the site safe and secure for everyone.
While facing the exaggerated threat of being taken down on November 5, most analysts seem to agree that Facebook's security was top-notch. Despite Facebook's hardened security against hackers, there have been a number of seemingly blunderous oversights like the attachment bug which resulted in a slew of pornography and macabre photos, unauthorized users posting to public profiles and measures taken against data mining not living up to expectations.
As the statement mentions, the company currently offers a bounty program, paying people who report vulnerabilities up to $7000. I wonder if the person who shared this on bodybuilding.com missed his or her chance to cash in?