Skip to main content

Loophole lets anyone see part of your Facebook friend list, even if it’s set to private

If you chose the Facebook setting that hides your friend list from people who aren’t you friends, Irene Abezguaz has some bad news. Abezguaz, a vice president of product management at Quotidium, outlined a loophole she discovered at AppSecUSA 2013, a New York security conference — that friend list isn’t totally hidden. 

If someone wants to see the friends of a Facebook user who hides their complete friend list from strangers, they can create a new dummy account and send a friend request to that Facebook user. Once the request is sent, even if it is rejected, Facebook will start sending friend suggestions to the dummy account — for users who are already Facebook friends or who have received a friend request from the person in question. In this way, even though there’s no complete friend list, someone looking for more information about a Facebook user will be able to compile at least a robust partial list of their Facebook friends. And while most people aren’t going to bother going out of their way to circumvent settings, the people who will  — malware peddlers, spammers, and stalkers — are exactly the kind of users that people want to avoid when they select tighter privacy settings. 

Recommended Videos

“Research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls,” Abezguaz writes in a blog post explaining the security loophole. 

Facebook doesn’t see this loophole as any big deal. A spokesperson (vaguely) explains: “Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people’s Timelines. This behavior is something we’ll continue to evaluate to make sure we’re providing clarity.” In other words, yes, the company acknowledges that part of your friend list becomes visible when a non-friend peeks at the “People You May Know” function, but because it’s not a direct part of the Timeline controls and because it’s an incomplete list, Facebook isn’t going to focus on this as a problem (besides perhaps clarifying their language to make it more apparent that the company does not believe this is a problem). 

Facebook has been changing its privacy settings to encourage users to publicly display more information; it’s part of the company’s ongoing quest to transform into a “personalized newspaper” and discovery engine with Graph Search. The company isn’t going to stray from that strategy to backpeddle and provide greater privacy controls again, even if someone brings the flimsiness of the current settings to our attention.

This probably isn’t the only example of a roundabout way to access Facebook user information. But it is a very good example of Facebook’s attitude towards user privacy: the company is ushering users towards transparency and away from privacy, and it’s not going to bother accommodating people pointing out relatively minor privacy failings like this. Let this be another reminder that Facebook, while still useful/painfully addictive, is actively eroding your old privacy settings to prime users for a more public social network.  

Topics
Kate Knibbs
Former Digital Trends Contributor
Kate Knibbs is a writer from Chicago. She is very happy that her borderline-unhealthy Internet habits are rewarded with a…
Bluesky finally adds a feature many had been waiting for
A blue sky with clouds.

Bluesky has been making a lot of progress in recent months by simplifying the process to sign up while at the same time rolling out a steady stream of new features.

As part of those continuing efforts, the social media app has just announced that users can now send direct messages (DMs).

Read more
Incogni: Recover your privacy and remove personal information from the internet
Incogni remove your personal data from brokers and more

Everything you do while online is tracked digitally. Often connected to your email address or an issued IP, trackers can easily identify financial details, sensitive information like your social security number, demographics, contact details, like a phone number or address, and much more. In many ways, this information is tied to a digital profile and then collated, recorded, and shared via data brokers. There are many ways this information can be scooped up and just as many ways, this information can be shared and connected back to you and your family. The unfortunate reality is that, for most of us, we no longer have any true privacy.

The problem is exacerbated even more if you regularly use social media, share content or images online, or engage in discussions on places like Reddit or community boards. It's also scary to think about because even though we know this information is being collected, we don't necessarily know how much is available, who has it, or even what that digital profile looks like.

Read more
Reddit just achieved something for the first time in its 20-year history
The Reddit logo.

Reddit’s on a roll. The social media platform has just turned a profit for the first time in its 20-year history, and now boasts a record 97.2 million daily active users, marking a year-over-year increase of 47%. A few times during the quarter, the figure topped 100 million, which Reddit CEO and co-founder Steve Huffman said in a letter to shareholders had been a “long-standing milestone” for the site.

The company, which went public in March, announced the news in its third-quarter earnings results on Tuesday.

Read more