Facebook Bug Reveals Private Photos, Wall Posts

Earlier this evening we came across a privacy flaw on Facebook that allowed users to gain access to portions of their friends’ profiles that they should not have been able to see. We contacted Facebook about the issue over an hour ago (it remains unresolved), and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.

Facebook is well known for its granular privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.

The new bug allowed users to temporarily bypass these Limited Friends Lists, instead displaying profiles in their entirety, including photos and wall posts. Given the personal and often unprofessional nature of some photos and messages shared on Facebook, this was a potentially damaging security lapse.

It’s unclear how long the bug lasts – I found that refreshing a friends’ profile once or twice seemed to correct the issue and display only the information I was supposed to be seeing. But even if the bug only works temporarily, it’s easy enough to perform repeatedly that users could potentially view multiple profiles without much effort.

This isn’t the first privacy bug to affect Facebook – users have previously been able to access private photos and view private profile information in search results.

The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s