Another Facebook Hole?

(Update: Facebook have confirmed the flaw—although it’s not as serious as it looks—and have fixed it. See comments.)

The complexity of Facebook makes it likely there are holes in its privacy. But this one, if I’m right, seems to suggest that it’s possible to access someone’s private data by a social engineering trick outside Facebook.

Today I received an email invite to join Facebook from someone I’ve never heard of. Weird, firstly, because this was not someone I think I’d have known. Weird, also, because I’m already on Facebook.

image

Just to make sure, I clicked on the link to sign up for Facebook and took the option there to sign in with my existing account.

That took me to my usual Facebook page. No more mention of the dude wanting to be my friend. At no point was I given any option to let this person into my life or not.

So I Googled the guy’s name and, lo and behold, I find I’m already on his list of friends:

image

Slightly freaked out, I went back to my account to see if this person was included in my list of friends. He wasn’t.

In other words, this guy can now see all my account details, and I can’t see his. Moreover, at no point have I accepted anything. All I’ve done is click on a link that said: To sign up for Facebook, follow the link below.

What I guess has happened is what happens if you click on the profile of someone who is not a friend but has sent you a message, or asked you to be a friend. In either case, I believe, that person then gets a week’s access to your profile.

I think this is dumb. But I think it’s dangerous that anyone can email me and, if I then click on a link to check out who they are, I now cede access to my information without being able to block it, or to be able to access his Facebook profile to see what kind of person can now access my data.

16. January 2009 by jeremy
Categories: Networks, Privacy, Scams, Security | Tags: , , , , , | 6 comments

Comments (6)

  1. It is dumb — especially as a default — but it is configurable, I’m pretty sure. I remember seeing the option at one point in Facebook’s web of privacy options. As long as you don’t reply to their message (or maybe just open it), I think it’s OK. But how many people know that?

  2. Thanks for bringing this issue to our attention. It turns out that a recent code change introduced a bug causing the behavior you saw. The way the bug worked: If you were logged into Facebook and viewed a Facebook public search listing of another user, you would be shown as a friend of that user in the public search listing you were viewing. However, there was no relationship actually created between the two users and all privacy controls were maintained. Thus, in the scenario you describe in your post, the other user was NOT able to view your profile and was not actually your friend (nor were you his friend). It just appeared that way to you, and only to you, in the public search listing . This was definitely unintended behavior and we agree it would be unexpected by users. As a result, we’ve already fixed the issue. Thanks, again and please let me know if you have any questions.

  3. The visibility into your profile is odd, but the one-way friendship is what really puzzles me. I.e., how is it that you are on his list of friends, but not vice versa?

  4. Barry, thanks for clearing this up.

  5. Facebook has always been full of security holes like this one.

    I’m not sure if this one has been closed up but if you respond to any message from soneone who isn’t your ‘friend’ that person can view all of your profile information. This has always been the case, at least it was a year ago when someone I didn’t want to what trying to get access to my personal info.

  6. Hi,

    I am friends with someone on facebook and that person is friends with someone who is not my friend. I noticed when I checked my friends profile that the only wall to wall postings I was able to see in his profile were the ones he had with this person, which I thought was odd, since wall to wall postings are visible only between common friends, then I clicked on my friend’s friend name and I was able to see his profile and his wall, but his friends list. I have never requested him or email him or anything, I don’t know him. Why is this happening, and is he able to see mine too?