Video: Major Facebook security hole lets you view your friends' live chats

Next Story

Skype has new plans for you to choose from

You’ve got to hand it to Facebook. They certainly know how to do security — not.

Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.

Unbelievable I thought, until I just tested the exploit for myself.

And guess what? It works.

The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.

I know Facebook wants us to share more information and open up, but I’m not sure that this is quite what they had in mind.

Because this has major implications for user privacy we’ve informed Facebook about this exploit.

Here is the video of the exploit in action.

(Hat-tip: @Scott56r and @Laird_Attwood)

Update: After a few hours Facebook sent us this statement.

“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.”

  • no

    doesn’t work for me.

    • Joe

      yeah, it’s been fixed now, says fb chat is unavailable

      • meeka

        I knew it! I bet this is the same exact strategy how this thug on facebook managed to stalk his victims while he is on jail…

      • http://www.gamersunited.se Tvspel

        Ouch! That was really bad…

      • Riz_jafri

        hy, joe … can u tel me about this … bcz some friends of mine try to make fool  … so plz tel me mail me on riz_jafri@yahoo.com

    • http://twitter.com/ediciuz Ediciuz

      Works for me, hit ctrl+F5

      • Designer

        try ctrl + f4

      • http://mwd.com MWD

        I think pressing twice CTRL+Alt+Delete works best! I tried on Windows 98! :)

      • http://twitter.com/fucktwitter Cail

        These things give insight into what I meant when saying that in my whole long life as a developer, I’ve never seen a crappier platform than Facebook. It’s a huge f*cking mess. Security wise and other wise. Don’t use it.

      • meeka

        Cerainly, a week from now, this glitch won’t work. Just like that glitch from twitter wherein you can see someone else’s private tweets via google’s especial search.

    • http://twitter.com/ediciuz Ediciuz

      Works for me. I can even see messages and friend requests

      • Blindman McSqueezy

        works for me, I can even see the people walking around in their houses and what they had for dinner inside their stomach. I can also see their futures.

      • Chris

        @Blindman McSqueezy – “works for me, I can even see the people walking around in their houses and what they had for dinner inside their stomach. I can also see their futures.”

        Ahahahaha! Me too!!!!

    • http://twitter.com/ediciuz Ediciuz

      Looks like it just got disabled… working now and then…

      • http://realestatekhoj.wordpress.com Vineet

        Works for me .. damn..

        http://wp.me/pRpuJ-o

      • ratchet

        Vineet, this is not a place for advertisement, you crap.

    • http://www.bonjour-assistance.fr/ assistance informatique colmar

      Works fine for me too.

  • http://www.lobstur.com Iain Haywood

    Schoolboy error.

  • Joe

    Unbelievable… I hate facebook, who knows how long this exploit has been around and I personally had some very private chats in facebook chat and to think someone may have been able to view it is infuriating…………

    • Shane

      Who would be stupid enough to put anything private into a chat feature on Facebook.

      Seriously, anything you put into Facebook should be considered viewable by anyone. Whether its through an employee abusing privileges to poor security.

      Its the old saying, you dont want someone to see it, dont bloody write it.

    • dude

      Dude don’t you know not to have your juicy chats on facebook.. now everyone’s gonna make’em public.. you are so hosed dude..

      • Cynyr

        yea, everybody knows you should use twitter for them~

      • http://www.avvo.com/dui-dwi-lawyer/al/birmingham.html Birmingham DUI Lawyer

        HAHA! I always say Facebook is just as public as Twitter. The only difference is that Facebook tries to pretend it has some privacy whereas everyone knows Twitter is public. Well except for private messaging.. but how much can you say in 140 characters?

    • nathan

      It’s ironic. I was only using the see your profile as others will feature a few days ago and had no such error. I would have realised as I was chatting the person I was trying it out on at the time.
      So can’t have been that long

  • http://www.meneame.net/story/exploit-facebook-permite-ver-historiales-chat-tus-contactos Exploit de Facebook permite ver los historiales de chat de tus contactos [EN]

    […] Exploit de Facebook permite ver los historiales de chat de tus contactos [EN]  eu.techcrunch.com/2010/05/05/video-major-facebook-security-h…  por atzu hace 5 segundos […]

  • http://www.thestartup.eu Stefano Bernardi

    Does indeed work for me.

    Unbelievable and unfuckingacceptable.

  • James

    Works fine.

    Your friend needs to have left a chat window open

  • http://twitter.com/Scott56R Scott

    I discovered the exploit this morning completely by accident :)

    Good fun though looking at what people talk about

  • Mark U

    Looks like they’ve just disabled chat

  • http://twitter.com/vinss vinss

    doesn’t seem to work…

  • kyle

    Doesn’t work for me either.

  • http://www.twitter.com/MacSmiley MacSmiley

    Security hole? You gotta be kiddin’ me.

    THIS is just really a brand new feature Facebook hasn’t announced yet. After all, Facebook is trying to conquer Twitter with its everybody-sees-all way of doing things. This is logically the next step.

    • Alex

      This was a good one. :) +1

      • Alex

        BTW, this new feature will probably be available for premium accounts only. Zuckerbooker needs revenue, remember? :)

  • sa

    worked for me, but they disabled chat indeed shortly after. LMFAO

  • James

    Works fine!

    Your friend needs to have left a chat window open

  • http://xxdesmusxx.net xxdesmus

    it’s still working here for me …just takes a few tries to get FB chat working, but when it loads the hole does still work.

  • http://twitter.com/Scott56R Scott

    Guys, when I found this I was using Safari 4 on a Mac. Not sure if it’s browser specific but I know a few friends who were using Opera the chat was not visible.

    • Dave

      “I know a few friends who were using Opera”

      Now I know you’re lying….

      • Alex

        He’s from Opera

  • http://www.devilsduke.com/facebook/major-facebook-security-issue-ever-lets-you-view-your-friends-live-chats/ Major Facebook Security Issue Ever, Lets You View Your Friend's Live Chats | DevilsDuke.com

    […] Do you chat with your clients and business partners in Facebook? Then you may be in a big problem.A new big security issue in Facebook makes your friends to view your live chats in just few clicks.Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.Here is a video of the exploit in live action by TechCrunch. […]

  • http://www.rocket-rentals.de Jan

    wow, this is huge. works just fine for me. #gasp

  • http://www.andycallaghan.com Andy

    That’s amazing, it really does work – let’s see how long it takes them to fix it…

  • Chris

    This is really a security fail seen as you only see your own chats, and are still logged in when you do all that stuff.

  • Laird_Attwood

    Still working, Mac 10.5 on Safari 4.0.5

    reports that it doesn’t work on Opera or in India/Philippines from friends who have tried it.

    Guess it depends on what servers you go through at FB’s end.

  • Jon

    Last straw, deactivating profile.

    • Jon

      Don’t deactive your accounts; delete them. Deactivating means your information is still stored on Facebook’s servers.

      Although knowing Facebook’s contempt for privacy I’m sure there are probably remnants left over even if you do delete the account.

  • http://www.techpetals.com/facebook-security-lapse-access-friends-facebook-chat-and-friend-requests-video-1038 Facebook Security Lapse – Access Friends Facebook Chat and Friend Requests [Video] | TechPetals

    […] TechCrunch […]

  • http://www.adogy.com John

    Worked for me… my chat has been disabled now

  • http://www.slashgear.com/facebook-exploit-reveals-live-chat-contents-video-0584451/ Facebook exploit reveals live chat contents [Video] - SlashGear

    […] No Comments Worth Reading? Facebook’s security settings have again come under the microscope, as an exploit that can expose not only pending friend requests but contents of live chat […]

  • http://twitter.com/Scott56R Scott56R

    … and Facebook deactivate my account in 5..4..3..2.. 1 for sharing their shitty security with the world :)

blog comments powered by Disqus