Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Or privacy. The assumption here is that if someone thinks you have an inappropriate photo, you now have no right to privacy?


No, it's surely just a mistake. No one made an affirmative decision to skip "privacy". What happened is that whoever added the "select more images to block" feature somehow did it in a way that skips the normal access checks.

If there's a goof here, it's that the framework they've built apparently doesn't make the privacy controls mandatory. Developers have to remember to "turn them on" by calling an access control predicate or whatnot. That's bad. That's dumb. But it's not malicious.


I doubt that's way this happened. More likely, the person who implemented the "inappropriate photo"-feature wasn't fully aware of that the "Report"-functionally was enabled for everyone and not just your friends.

However, someone had to implement the backend for listing out those photos, and they clearly didn't think of access control, so there's at least something fishy here…


It's not the first time either. Very similar breach of privacy happened when they implemented "view my profile as ..." functionality. You gained access to the private data of the user you were simulating.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: