Privacy bugs at Facebook are nothing new, but that doesn’t make them any easier to stomach. Last week we caught wind of a new one that was relatively benign, but could have been a field day for mischief makers and spammers. Don’t worry, it didn’t give anyone access to your personal information — but it did let you post to the Wall of any Facebook Page you wanted, which can’t be welcome news to the major brands on Facebook, or politicians who go to great lengths to maintain a pristine public image. We spoke with Facebook about the problem last week and held this post until it issued a fix this evening.
This latest bug stemmed from Facebook’s impressive new iPhone app, which was released just over a week ago. The new app reproduces much of the functionality found on the Facebook homepage, including the ability to browse through News Feeds and Facebook Pages, and to post to these feeds. Unfortunately, the app failed to pay attention to some of the privacy settings involved with these actions.
On Facebook, Page administrators are given control over who can post to their walls — if you want to keep your page clean and display only your updates, you can block users from posting their comments. Alternatively, you can let users comment into an area that’s “Just for fans”, or you can show both fan comments and the Page’s updates in the same feed. Most brands use the first or second option, so that new visitors to their Pages only see content that they control by default (e.g. shared links and status updates).
The iPhone application ignored these settings, allowing you to post to a Page even if it was only supposed to be displaying posts from the Page Administrator. So, for example, you could visit President Obama’s Page, which understandably doesn’t allow for any comments, and write whatever you wanted to his feed. Granted, this wouldn’t get syndicated out to other users like his updates would, but anyone who visited Facebook.com/BarackObama would see your message nestled between President Obama’s shared links.
Of course, this is hardly the first such bug to pop up — over the last few years we’ve seen a number of exploits that let users access data they were not supposed to be able to see. In fact, this iPhone app has had previous problems: soon after release, users discovered that the application was ignoring the privacy settings on their status updates, which meant friends who were supposed to have been blocked from seeing updates were seeing them anyway. This was quickly resolved by a server-side fix, but it’s scary that it could happen in the first place. Given the frequency of these bugs, it’s clear that Facebook’s security and privacy settings are by no means rock solid and it seems only a matter of time before we see a more serious breach.
Thanks to Seve Salazar for the tip.