Facebook logo
Facebook Messenger has over 600 million global users Reuters

Facebook cancelled the internship of a Harvard student after he revealed a major privacy flaw within the company's Messenger app, it has emerged.

Aran Khanna, a computer science and mathematics major, found out that messages sent on the app from desktops and mobiles included location data by default if the "location services" feature was enabled on the devices.

In May, he coded and launched an extension for Google's Chrome web browser called Marauder's Map, which exploited the vulnerability and claimed to let users "creepily track" their friends through Facebook messages.

The social media giant soon caught wind of the tool, which was downloaded more than 80,000 times from the Chrome Web Store, and ordered Khanna to take it down.

Khanna complied but the company later informed him that his summer internship offer had been rescinded.

A few days after the extension was released, Facebook fixed the vulnerability with a software patch that promised "full control" over how location information was shared on the app.

Privacy concerns

Facebook spokesman Matt Steinfeld said the tool had violated the social network's terms of use.

"Despite being asked repeatedly to remove the code, the creator of this tool left it up," he told CNBC on 13 August.

"This is wrong and it's inconsistent with how we think about serving our community."

But Khanna defended the release of the code, saying it was intended to put public pressure on Facebook to be "responsible guardians of privacy".

"There is something to take away from this entire experiment that I needed to share," he told CNBC.

"It raises some important questions about why it wasn't flagged internally years ago and why there was no public outcry."