Portal is Facebook’s take on smart displays/speakers. It comes bundled with Amazon Alexa and with features like Superframe, which can display photos in a carousel-style when you are not actively using the screen. The thing is… you are only supposed to use your own album photos, not photos of a different user. Right?
The Facebook Portal product page does not list adding album photos of someone else as a feature. However, popular tipster and developer Jane Manchun Wong was recently able to do exactly that without too much effort. Whose photos did she use to test this broken feature? Well, those of Mark Zuckerberg himself.
I added Mark Zuckerberg’s Profile Picture album to my Facebook Portal’s Superframe when users are supposed to only able to add the albums that they own
I reported this to Facebook and they don't think this is a security vulnerability pic.twitter.com/6IsUpj8Nra
— Jane Manchun Wong (@wongmjane) October 30, 2019
Facebook does not consider this as a security vulnerability
The funny part of this story (or concerning, depending on how you want to see it) is that when Wong reached out to Facebook to report this issue, she was told by the company that “they don’t think this is a security vulnerability.”
On top of that, since the company doesn’t expect users to add albums of someone else to Superframe, she can’t remove the album containing Zuckerberg’s photos.
As of now, Jane is stuck with a creepy photo of Mark Zuckerberg staring right into her soul. The fact that the smart display comes with a camera and mic only makes the situation more unsettling.
“Jane… you invited me here, and I will watch you every day.”
If that weren’t enough, keep in mind that the device is running Amazon Alexa as the default voice assistant, which is notorious for raising more privacy concerns; now add Facebook hardware (Portal) into the equation and we just got ourselves some conspiracy theory material.
Facebook may want to look into this issue in the future, but right now there are no public plans for patching it. It certainly doesn’t classify as a bug, it’s just the side effect of an existing feature.
As a reminder, Facebook Portal units started shipping on October 15th, while the cheaper Portal TV will hit the market on November 5th of this same year. In this sense, we are talking about newly released products that will probably receive updates and bug fixes in the coming days, hopefully, one of those updates will fix this “feature”.