Skip to main content

Loophole lets anyone see part of your Facebook friend list, even if it’s set to private

study says facebook can tell youre psychopath fb eye
Image used with permission by copyright holder

If you chose the Facebook setting that hides your friend list from people who aren’t you friends, Irene Abezguaz has some bad news. Abezguaz, a vice president of product management at Quotidium, outlined a loophole she discovered at AppSecUSA 2013, a New York security conference — that friend list isn’t totally hidden. 

If someone wants to see the friends of a Facebook user who hides their complete friend list from strangers, they can create a new dummy account and send a friend request to that Facebook user. Once the request is sent, even if it is rejected, Facebook will start sending friend suggestions to the dummy account — for users who are already Facebook friends or who have received a friend request from the person in question. In this way, even though there’s no complete friend list, someone looking for more information about a Facebook user will be able to compile at least a robust partial list of their Facebook friends. And while most people aren’t going to bother going out of their way to circumvent settings, the people who will  — malware peddlers, spammers, and stalkers — are exactly the kind of users that people want to avoid when they select tighter privacy settings. 

“Research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls,” Abezguaz writes in a blog post explaining the security loophole. 

Facebook doesn’t see this loophole as any big deal. A spokesperson (vaguely) explains: “Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people’s Timelines. This behavior is something we’ll continue to evaluate to make sure we’re providing clarity.” In other words, yes, the company acknowledges that part of your friend list becomes visible when a non-friend peeks at the “People You May Know” function, but because it’s not a direct part of the Timeline controls and because it’s an incomplete list, Facebook isn’t going to focus on this as a problem (besides perhaps clarifying their language to make it more apparent that the company does not believe this is a problem). 

Facebook has been changing its privacy settings to encourage users to publicly display more information; it’s part of the company’s ongoing quest to transform into a “personalized newspaper” and discovery engine with Graph Search. The company isn’t going to stray from that strategy to backpeddle and provide greater privacy controls again, even if someone brings the flimsiness of the current settings to our attention.

This probably isn’t the only example of a roundabout way to access Facebook user information. But it is a very good example of Facebook’s attitude towards user privacy: the company is ushering users towards transparency and away from privacy, and it’s not going to bother accommodating people pointing out relatively minor privacy failings like this. Let this be another reminder that Facebook, while still useful/painfully addictive, is actively eroding your old privacy settings to prime users for a more public social network.  

Editors' Recommendations

Kate Knibbs
Former Digital Trends Contributor
Kate Knibbs is a writer from Chicago. She is very happy that her borderline-unhealthy Internet habits are rewarded with a…
Facebook’s new, experimental Whale app lets you create your own memes
facebook whale meme app

Facebook often releases experimental tools to test the waters for new features and services. Its latest, an app called Whale, lets you create your own memes from scratch. According to a report by The Information, the social network debuted the app on the Canadian iOS app store last week.

Similar to other run-of-the-mill meme creators, Whale comes with a standard set of annotation features that let you add elements such as text, emojis, and filters over images. You can capture a new picture, pick from your personal gallery, or import from the app’s built-in stock library. In addition, Whale’s listing calls out a few popular meme apps by claiming it doesn’t have any "hidden subscription pricing."

Read more
Sen. Ron Wyden wants to protect your data from Big Tech, if Congress lets him
U.S. Senator Ron Wyden speaks in Washington, D.C.

Sen. Ron Wyden is fed up with Big Tech companies getting slapped on the wrist for violating user privacy. Unfortunately, he doesn't think his fellow congressmen feel the same way. Yet.

"My sense is we are one major privacy scandal away from finally getting the political support to move this legislation,” the Oregon Democrat said in an exclusive interview with Digital Trends.

Read more
Third-party devs improperly accessed some Facebook groups’ private data
facebook independent oversight board mark zuckerberg  viva tech start up

Facebook is yet again at the center of a user privacy mishap. In a blog post, its head of platform partnerships, Konstantinos Papamiltiadis, revealed that about 100 third-party app developers had improper access to personal data of several groups’ members despite the fact that the social network overhauled its APIs to prevent this exact behavior last year.

Before the alterations to the Groups system, Facebook allowed outside developers to extract information of a group’s members such as their profile pictures, names, and more. All they needed was a green light from the group's admin. However, in the wake of the Cambridge Analytica scandal, the company rolled out an update that restricted the third-party access to the group’s name, the number of users, and posts’ content, and made giving up their private data optional for members.

Read more