You’ve got to hand it to Facebook. They certainly know how to do security — not.
Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.
Unbelievable I thought, until I just tested the exploit for myself.
And guess what? It works.
The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.
I know Facebook wants us to share more information and open up, but I’m not sure that this is quite what they had in mind.
Because this has major implications for user privacy we’ve informed Facebook about this exploit.
Here is the video of the exploit in action.
Update: After a few hours Facebook sent us this statement.
“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.”