Earlier this evening we came across a privacy flaw on Facebook that allowed users to gain access to portions of their friends’ profiles that they should not have been able to see. We contacted Facebook about the issue over an hour ago (it remains unresolved), and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.
Update: Facebook has fixed the issue as of Saturday morning. The procedure for exploiting the bug was quite straightforward. Users simply had to deactivate their accounts under their Facebook settings, then immediately reactivate their account by logging back into Facebook (a process that took maybe thirty seconds). This apparently broke some privacy settings, as these users would then be able to see some of their friends’ profile information that they should not have had access to.
Facebook has responded with the following comment:
“While the scenario for the bug to work was a rare use case in the account reactivation process, we’re always concerned with any potential breach of user privacy. We worked quickly to address the reported bug and it was resolved within a few hours late last night.”
Facebook is well known for its granular privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.
The new bug allowed users to temporarily bypass these Limited Friends Lists, instead displaying profiles in their entirety, including photos and wall posts. Given the personal and often unprofessional nature of some photos and messages shared on Facebook, this was a potentially damaging security lapse.
It’s unclear how long the bug lasts – I found that refreshing a friends’ profile once or twice seemed to correct the issue and display only the information I was supposed to be seeing. But even if the bug only works temporarily, it’s easy enough to perform repeatedly that users could potentially view multiple profiles without much effort.
The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.
Tand responded with the following statement:
Thanks to Anjool for the tip.