Earlier this evening we came across a privacy flaw on Facebook that allowed users to gain access to portions of their friends’ profiles that they should not have been able to see. We contacted Facebook about the issue over an hour ago (it remains unresolved), and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.
Update: Facebook has fixed the issue as of Saturday morning. The procedure for exploiting the bug was quite straightforward. Users simply had to deactivate their accounts under their Facebook settings, then immediately reactivate their account by logging back into Facebook (a process that took maybe thirty seconds). This apparently broke some privacy settings, as these users would then be able to see some of their friends’ profile information that they should not have had access to.
Facebook has responded with the following comment:
“While the scenario for the bug to work was a rare use case in the account reactivation process, we’re always concerned with any potential breach of user privacy. We worked quickly to address the reported bug and it was resolved within a few hours late last night.”
Facebook is well known for its granular privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.
The new bug allowed users to temporarily bypass these Limited Friends Lists, instead displaying profiles in their entirety, including photos and wall posts. Given the personal and often unprofessional nature of some photos and messages shared on Facebook, this was a potentially damaging security lapse.
It’s unclear how long the bug lasts – I found that refreshing a friends’ profile once or twice seemed to correct the issue and display only the information I was supposed to be seeing. But even if the bug only works temporarily, it’s easy enough to perform repeatedly that users could potentially view multiple profiles without much effort.
This isn’t the first privacy bug to affect Facebook – users have previously been able to access private photos and view private profile information in search results.
The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.
Tand responded with the following statement:
Thanks to Anjool for the tip.
How wonderful – private photos become public!
Well not quite, they can only be seen by your friends (though it could be a friend on your limited profile who shouldn’t have been able to see them).
“and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.”
Why didn’t you do this for your speed date hack?
Why are you doing this for Facebook ???
Are you afraid of them?
I stared their lawyers down and spat in their faces.
What are you talking about? I waited until SpeedDate had fixed their privacy issues before reporting them.
http://www.tech...hits-speeddate/
I can’t tell anymore, you changed the wording.
I mentioned that unauthorized computer access was illegal in California then you changed the blog post from saying you had hacked accounts, to “we did x and y”
Remember?
I thought you had posted the original post before they had fixed it.
At any rate, I don’t see why you are waiting. It’s up to them to fix any flaw. You have no legal responsibility not to report it. Flaws are reported all the time. It’s how they get patched.
These privacy issues at Facebook are getting out of control. I stopped using Facebook after their TOS fiasco, and many people commented that I was overreacting. I am certainly glad I stuck by my decision.
Unless Facebook, Google and co start getting their act together, they will start feeling the heat from lawmakers who now apear to be wanting to regulate anything with a heartbeat.
Your loss, Anjali. There’s bigger things to worry about LOL
I recently realized that you can bypass privacy in Facebook photos quite easily. I assumed this was a “feature.”
Here’s how: if I mark a picture “friends only.” One of my friends can tag a non-friend in the photo. Then the non-friend can see the photo (still marked “friends only”) and even post the photo on their wall for all of their friends to see.
So, just tag a photo and it will open that photo up to those being tagged and their friends (and so on and so on).
You can disable tagging, but that’s a drastic move. If a photo is marked as “friends only” it should indeed be “friends only.” Now I have to assume that all of my photos are open to the world.
“…. Unless Facebook, Google and co start getting their act together, they will start feeling the heat from lawmakers who now apear to be wanting to regulate anything with a heartbeat. ….”
That is in India – I have no clue what is going on in the rest of the world but I will continue spamming TC with retard, inane comments. Try to stop me!
Anjali Sen
From India
@Anjali ….. you only have 6 FB friends …. I dont understand what you mean by stating that you stopped using facebook …
Such small issues dont deserve a post in TC.. My too many posts not gud for a blog
CPO RJ Garbowicz was asked what is YourNight.com, he responded, “Picture this; you get home from work in the evenings and you turn on your PC, what do you do . . . answer email . . . browse your social networking or dating site . . . play online games . . . search videos and music . . . shop online . . . peruse job listings . . . check out local events . . . search for a business . . . go to your online banking . . . well you get the point, YourNight.com affords you all of this, and much, much more – all within one colossal, user-friendly portal . . . that’s all I can say for now, since we are still in stealth mode . . . however, as soon as we complete our Series A capital raise of $10 million our purpose and presence will be known.”
For more information, please contact:
RJ Garbowicz President/CPO Extreme Enterprises, Inc.
Phone:727.289.5522
Email:RJ@eeihq.com
PO Box 49271
St Petersburg, FL 33743
Privacy is very important on the internet. There are all kinds of weirdos out there. Example: http://www.f2bb.com
Not to criticize you too much but this has been available for the past 2 months, its hardly breaking news and just more of a sign of the lower quality articles being shown here.
Additionally did i not read last week that Michael would be removing all potentially questionable conflicts of interest from the site, why are those seesmic comments and feeds still available if so? all talk and no action.
that’s something. try http://www.yocial.com
hmm. no.
FaceBook sucks. Go for MySpace guys…
if they are THAT private why do people even upload them on Facebook… Keep them private on your Mac or PC?
I think there is big confusion over the the true meaning of privacy on the internet! Even Facebook had it wrong. I will agree with Dimitri here, if its private don’t upload it, period!
Awesome, it is times like these I’m glad I have showed restraint on Facebook and not simply relied on privacy settings.
How interesting. That is what I do too.
My reliance on Twitter is probably 10 or 20 times more than Facebook-Basically because it is easier to check Twitter and that I find fun in using it.
While Facebook is fun, I try to avoid using it because of possible security and privacy issues (Such as this one) to sprout out.
Not saying Twitter is completely safe, but less personal information (In my opinion) is leaked out through it. (Eating breakfast doesn’t count, does it?
)
That’s it, I quit FB today.
This is ridiculous.
They’re so f#cking big and have enough $ to program like grown-ups.
Yet, they seem to employ some script kiddies for their programming and just don’t give a damn about our privacy.
I’d say that’s a monopolist at work.
I never used FaceBook(just had a look of it) and won’t do so in the future(till now)
http://www.smartbloggerz.com
To all the RECRUITERS out there:
GENTLEMENT, START YOUR ENGINES!
LMFAO!!
good to know the 500 million went to good use to hired best engineers.
Your so cynical but I like you. I saw your tweet, I don’t how you’d drop out of silicon valley and umm be working on a startup.
Actually, every photo is open to the public, it’s just browsing that’s restricted. Browser to one of your private photos, use the View Image to browse to it’s unique URL, sign out and paste that sucker in. LOLZ.
Luckily, not a huge issue because anyone with access to that URL could also just download and rehost/share that photo themselves.
I really agree with this because today facebook is a lot more than a student’s fun site but not people are using it for businesses. I myself was planning to choose people for my blog and contact them using facebook but after reading this I am out of this. Only thing I don’t understand is that if bad guys can go this further in creating these kinds of bugs then why can’t Google and Facebook figure out how to keep the bugs out of their systems.
Mohammad Afaq
Free Website Traffic
Achieving complete privacy in cloud services is an Utopian dream. It may never happen. If you are really concerned about your privacy consider Tonido’s Personal Web Applications.
This is a major, major mishap. Privacy settings are useless if they’re not respected.
All it takes is one lapse, and the privacy settings are useless. It’s like a bank manager forgets to lock the front door just one night, but that’s enough for people to come in and steal the money. All it takes is one mishap.
Pro-tip: don’t post content anywhere on the web, even “private” “secure” parts of the web like — Facebook or Google Docs — that you wouldn’t want plastered on the front page of the local paper the next day.
I guess you are right. This is not going to change. People will keep coming up with newer ways of bugging Google and all the other sites. I really takes just one mishap.
Mohammad Afaq
Free Website Traffic
It is actually pretty easy to access other peoples photos on facebook even if they are restricted…
Expect an uproar from facebook users…again
It is pretty much what you expect from them…along with their bad design decisions http://technoci...0/facebook-2011
Well that sucks, but the old rule still applies, if you don’t want somebody to see something don’t put it on the internet.
I’ve made my facebook pretty much 80% public now, see no reason to hide. However I’ve keep photos/videos for friends only.
If you right-click on any facebook photo and got to properties and copy the location you can send the link to the pic.
Kind of like this:
http://profile....0958284_290.jpg
Well, that’s not good. Private must be private. Many facebook members who have private pics, I think they’re discouraged with that.
Will facebook sell our profile?
Random bullshit comment that makes hardly any sense…
http://www.my-l...me-ass-site.com
Well the rumor has it, Facebook does not have QA. If this is true, it won’t be long before they self destruct.
Security and Web 2.0 do not fit. The only way is to take care of your privacy yourself and not to put content on the web you would not show to any stranger on the street.
Old bug, or new in the new site design
I don’t care if it’s old or new. It’s just NOT supposed to be there.
And:
How come there is no “maintenance” page up (while they’re hopefully trying to fix this bug)?
It’s like saying “we don’t care if you’re exposed, we just don’t want people to know that we’re screwing up again”.
Well this is obviously not a big deal YET. It’s only revealing private picz to FB ‘friends’. Bad luck for the one who opted for hundreds or thousands of ‘friends’. What most FB users have done is voluntarily post open their private lives to the world of the Internet for FREE!!
Bugs have always been and will always BE can’t just blame FB. Users should understand why they are encouraged to post and share their privacy in public and what is behind FB’s generosity. Did you really expected FB and other social networking sites to invest on money and infrastructure for people to have fun? You were optimistically naive. FB has always been simply monetizing your privacy. Should you have privacy expectation? Why not, education, for sure.
The issue is simple – ‘Friends’ you’ve put on your Limited Profile can see all your photos, wall posts etc with this bug, and its completely reasonable to not want to reject family members, work colleagues etc as ‘friends’, however not want them seeing your private life. Its also a reasonable expectation if you put someone on a Limited Profile list, that they’re effectively able to remove themselves from it, become aware you had them limited, etc…
I meant **not** able to remove themselves from it, obviously
Another danger of underestimated public privacy is sexting.
According to Parry AFtab, Cyberlawyer on sexting : “It’s when young people take nude pictures or images of them engaging in real or simulated sex acts on their cell phones or webcams and then send them to others by cell phone or webcams. About 20% of the teen girls we polled said they had taken a nude or sexually explicit cell phone picture or webcam shot of themselves and shared it with others (most often their boyfriends). 14% of the boys share these “private” images with others when they break up with their girlfriends. And 44% of the boys polled admitted to having seen at least one of these sexual images of a classmate. 22% of the girls polled said that they regretted whatever they had recorded on their webcam and 71% use them in their bedroom. And older teens and young adults are even more at risk, with almost 40% of the teens over 18 and college students we polled said they had shared a nude or sexual image with their boyfriend or girlfriend online or by cell phone.”
Friday, March 20, 2009
‘Sexting’: self-destructive or simple rebellion?
http://www.ocre...-school-parents
Wow, all the more reason to use MySPace!
RT
http://www.onli...-privacy.pro.tc
Hello,
Please add your site at http://www.sweebs.com. Sweebs.com is a place where other people can find you among the best sites on the internet!
Its just started and we are collecting the best found on the net! We will be delighted to have you in the sweebs listings.
Regards
Kris
and this is not funny.
http://www.josi...6.wordpress.com
now, imagine you as teh subject of this situation, how would you get help?
Please forward my page to anyone you think can help me. I just want to get out of this political disaster, and go home.
with this application you can view photos. its not against the facebook terms of service.
http://apps.fac....com/josh_owns/
facebook claims this isn’t against their terms of service.
Well, that’s a terrible news for facebook users.
yet one more reason to use multiply.com if privacy is an issue for you.
This is exactly the reason why I only post nude and compromising photos of myself on MySpace, LinkedIn, flickr, and other popular social and professional networking sites where there’s absolutely no chance that they will ever be seen by anyone other than me and my special someone.
I think this problem has been around longer than this story. About two months ago I posted 2 photos of my kids that were supposed to be visible only to my wife and sister in law. The next day my coworker commented that she left a message on my wall about how cute they were. It freaked me out because alot of the people on my profile are business contacts or people that know me casually. I use the privacy settings to keep my private & professional life separate with all the psychos in the world.
I barely use facebook anymore, twitter has now consumed me.
oh yes… even i was wondering how could i see photos and wall posts of people i haven’t even added in my friends list
there’s a very easy way to prevent ALL privacy issues on facebook: Don’t put anything on facebook that you don’t want the world seeing.
There, simple, done.
So true, my mother always said don’t put anything in writing you don’t want someone else to see,,,same goes for any media…
Facebook is full of holes, it’s even possible to see every single picture and not even need to sign up.
It doesn’t surprise me, I’ve become used to the fact everything on the web is available to someone.
Sheri
I myself was never able to see anything private on facebook. I don’t know how people do it.
Mohammad Afaq
GAK People Search
there is nothing to hide – no where to run to
This This Facebook issue is just another reminder that people can make great connections and develop relationships with social networks, but each person is responsible for how much personal information is being shared online.
C. E. Reid, CSI
Developer of Career Management Swiss Army Knife w/Smart Radar
Online identity expert Disk Hardt R-rated marriage pictures leaked:
http://gawker.c...86537#c11486537
There is nothing secure about Facebook, just about every day on 4chan there are new easy ‘exploits’ (usually just rearranging a few URL strings regarding user ID and hash) that allow you to get access to users private profiles, images, walls, whatever. It’s amusing that these security holes rarely make it onto popblogs like TechCrunch, and then they finally get patched.
FB’s privacy isn’t actually granular, or effective, at all. Groups are only for photos, and as several have pointed out, photos aren’t private in the least, just “hiding”.
True privacy would be nice, allowing users to restrict exactly who can see what – links, notes, photos, everything – and actually limiting access so that nobody unauthorized can see anything, ever.
Yeah, friends could copy content and post it somewhere else themselves, but no platform can prevent that. What a platform can and should do is ensure that it never does so itself. For instance, how in the world does it make sense that a video is supposed to be posted just for one’s friends, but as soon as one of them comments on it, all his/her friends can now see it too?
good article, useful, thanks
I use both Twitter and Facebook for networking. I noticed both web properties do show via Google results and images, what you have either Twittered and Facebook friends pics, articles or links shared. I’m not upset about this although, I can understand how some people don’t want to share there kids pics to the public.
so many private photos on Facebook?
Even more than a glitch – facebook actually broadcasts updates to private albums, so everybody knows you’ve updated them and then gives them access to see the images.
untrue… only albums that are set to “everyone”
a few days ago i noticed a strange security flaw. mobile interface (m.facebook.com) revealed a friend removing relationship status which i could not find from web version. i did check this with different sources and still could see fora long “is no longer listed single” -news in mobile but not in web version.
i suspect my friend changed his relationship status, then deleted this “news” but mobile-version did not respect “privacy” in this case.
Is it true?
Thanks for sharing important information…
I think my friend has private photos. On the profile page, it says view photos (120). But of the photos available altogether on the photos page, there is only 100!. Am I right in assuming there are private photo’s?
i think generally facebook does a pretty good job with the privacy settings, but we need to also be a bit digitally smart when it comes to social networking site and not putting a ton of private information online. social networking sites are now a big target for hackers and phishers, check out this article for more info
My question is: why worry about privacy when you enter your data, pictures and more on the Internet?
Sorry the off-topic!
facebook has privacy issues
yes, i have noticed this aswell. my friend posted some… interesting pictures of herself on facebook and i personally dont think the photos should be allowed on Facebook