So, Meta has this fancy feature called "Profile Lock." It’s advertised like a digital fortress. Turn it on, and boom—your past, your secrets, and your embarrassing historical profile pictures are hidden from the prying eyes of non-friends forever. Total privacy, right?

Well, I was on my phone using the Brave browser, looking at a locked profile. Out of pure curiosity, I typed view-source: before the URL.

I expected to see a wall of encrypted gibberish or a single boring placeholder image. Instead, if you scroll past their massive wall of CSS, Facebook literally just hands you the direct CDN links to the user's entire historical library of profile pictures. Full resolution. Publicly downloadable. No friendship required.

Naturally, I thought, "Wow, I just found a major privacy bypass. Let me report this to Meta’s Whitehat Bug Bounty program. Surely a multi-billion-dollar tech giant would want to patch this and hand me a nice fat reward check." 🤑

I filled out the form, attached the proof, and hit submit.

Two minutes later. The Meta triage bot updates my ticket status to: Not Applicable. ❌

Apparently, in Meta-land, if you hide an entire photo album from the frontend user interface but leave the direct high-resolution download links sitting in plain-text HTML for anyone who knows how to read... that’s not a security flaw. That’s "intended architecture."

Lesson learned: "Locked" on Facebook doesn't mean your data is in a vault. It just means they put a "Keep Out" sign on the front door while leaving the back wall completely missing.

Keep clicking that lock button, guys. I’m sure it’s doing something. 🤷‍♂️✈️