A new Facebook security hole makes it simple for your friends to read your instant messages, your instant messaging history, see your messages and friend requests. This isn’t even hard to do for the average person. There is no special technical knowledge needed. As a matter of fact, users may already be exploiting this bug to stalk you on the hush. Ever wondered why that certain someone has a knack for knowing things about you that they shouldn’t? Maybe Facebook snitched. In just a few clicks, you can get a good look at your friends’ personal information.
- Login to Facebook and click the Account tab on the top right
- Choose Privacy Settings from the drop-down
- Go to Personal Information and Posts
- Click Preview My Profile on the right
Now, you should be looking at a preview of your profile as other users see it. Here is where all the magic happens. Pick a victim real quick (I chose little brother, but feel free to be creative) and type their name into the “Preview how your profile appears to another person” box. The page will update and you should be able to access the person’s chat information on the bottom right. You should also see their pending friend requests, messages, and notifications on the top left.
I tried this out and it work. Very freaky stuff. I suspect that Facebook has started working on the problem immediately because, as of this writing, the hole behaves erratically and Facebook chat is down for maintenance. Even still, for a company that is advocating throwing privacy an caution to the wind and pushing everyone to become more public, they’re not doing a very good job of instilling confidence in their user base.
Even as one of the minority who is kind of on Facebook’s side as far as seeing the benefits of becoming more public and sharing more online, a bug which lets people accept and deny my friend requests and view my chat history turns my stomach. Just as in the real world, if you see one bug, there are probably a few more where it came from. I hope that this pushes Facebook to take a good long look at their code because I’m pretty sure many privacy advocates are hard at work trying to break it. This is especially true given their recent changes in stance.
UPDATE: Facebook just recently sent this statement to TechCrunch EU regarding the security hole, acknowledging that they fixed the problem and also patting themselves on the back a little.
“For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the “preview my profile” feature of Facebook privacy settings. When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete. Chat will be turned back on across the site shortly. We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented.”