Earlier this evening we came across a privacy flaw on Facebook that allowed users to gain access to portions of their friends’ profiles that they should not have been able to see. We contacted Facebook about the issue over an hour ago (it remains unresolved), and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.
Facebook is well known for its granular privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.
The new bug allowed users to temporarily bypass these Limited Friends Lists, instead displaying profiles in their entirety, including photos and wall posts. Given the personal and often unprofessional nature of some photos and messages shared on Facebook, this was a potentially damaging security lapse.
It’s unclear how long the bug lasts – I found that refreshing a friends’ profile once or twice seemed to correct the issue and display only the information I was supposed to be seeing. But even if the bug only works temporarily, it’s easy enough to perform repeatedly that users could potentially view multiple profiles without much effort.
The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.