The service delivers New Year's messages from Facebook users to their selected pals at the stroke of midnight on 31 December, whether or not the user is online.
However, URL tweaking made it possible to see the intended recipients, and the contents of message. Security blogger Jack Jenkins was first to notice the bug, which had the potential to expose private message between secret lovers and other juicy information, assuming the parties involved were daft enough to use Facebook to exchange such sensitive information.
Schweitzer didn't know Randi Zuckerberg, but she was a friend of one of Schweitzer's sisters, hence the appearance of the photo in her timeline.
Rather than complaining about Facebook's privacy settings, the sister of the tech titan decided to rebuke the blameless Schweitzer (who apologised), via a Diva-like Twitter update.
Gupta and fellow security researcher Subho Halder from XY Security earned a ,500 reward from Facebook for discovering the Cross-Site Request Forgery (CSRF) bug, which stemmed from a failure to apply adequate security controls.
Gupta notified Facebook about the "Peeping Tom" bug in July but the social networking giant only recently rolled out a fix.
A video by XY Security illustrating the resolved webcam vulnerability can be found here.Days after news on the webcam vulnerability became public, Facebook was obliged to respond quickly to a flaw in its New Year "Midnight Delivery" messaging service.