Sophos Cloud Optix
Don’t want the entire Facebook-using and -abusing population to see your friends list?
You can always change the setting to private – a setting labeled, for some strange reason, “only me”, chosen in response to the “who can see your friends list?” setting.
Fat lot of good it will do you, though.
Irene Abezgauz, a vice president of product management at the security software company Quotium, has discovered a way for any casual visitor, stranger, stalker or troll to see friend lists that their users have set to be private, and that includes any friends who’ve also set their lists to be private.
To access anybody’s friend list, all someone has to do is to create a fake Facebook account and send a friend request to his or her target.
Even if the targeted Facebook user doesn’t respond to the friend request, they’ll get to see a list of his or her friends, courtesy of Facebook’s People You May Know feature.
According to VentureBeat, Abezgauz revealed the vulnerability at the recent AppSec USA 2013 security conference in New York.
Abezgauz told VentureBeat that Facebook’s playing fast and loose with this on-again, off-again approach to privacy:
It’s all about privacy and people trusting that Facebook is making the best effort to protect the privacy of users. … It’s not about protecting the privacy of users as long as it stays out of the way of Facebook growing and expanding.
Facebook’s People You May Know feature, introduced in 2008, helps people discover new connections, be they long-forgotten school chums or colleagues.
It both helps people to build out their Facebook networks and enables Facebook to build a treasure trove of valuable data about us and the people with whom we associate.
(That daisy-chaining analysis, of course, enables people like NSA agents to pull the communications of innocent people into far-reaching surveillance dragnets that snare friends of friends of actual targets, as was shown in recently revealed documents from whistleblower Edward Snowden.)
To exploit the privacy hole, an attacker creates a new user account on Facebook and sends a friend request to the victim.
Even if the intended victim declines the request, Facebook begins to suggest to the attacker people he or she may know, with the option of clicking a “see all” button for convenience.
The people suggested in that list are friends of the target who received the friend request, even when the friends list of the victim is set to private and the other suggested users also have their friends list set to private.
When Abezgauz brought the privacy issue to Facebook’s attention, it replied that No, everything’s fine, given that you don’t know if the suggested friends represent someone’s complete friend list:
If you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list.
But Abezgauz writes that research has shown that most of the friends list – which often includes hundreds of friends – is available to the attacker.
“In any case,” the researcher said, “even a partial friends list is a violation of user-chosen privacy controls.”
I checked with Facebook to see if private friend lists were still being pushed into People You May Know feeds. A spokesperson got back to me, and it doesn’t look like Facebook is planning to change anything any time soon:
Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people's Timelines. This behavior is something we'll continue to evaluate to make sure we're providing clarity.
Is Facebook privacy only an illusion, designed to lull us into sharing more than we would if we knew what the company really did with our data?
I agree with Abezgauz on this issue: Facebook has no right to siphon our friends off of a list putatively set to be private.
Hands off, Facebook, and please, fix this privacy hole.
Screenshot courtesy of Flickr user FactoryJoe.
Coincidentally, I just recently setup a NEW Facebook page with hardly any information. I had yet to add friends and it was set entirely to private until completion. YET… it instantly generated a “people you may know list”, the top 18 of which were actually people I knew well, and also a number of business acquaintances. Keep in mind that I’ve *never* had a Facebook page so the idea that they could recognize people I knew so quickly was a bit scary. Well crafted algorithms aside, there has to be something much simpler at play. I ultimately determined that FB could only have gleaned email addresses from my Outlook contacts & email since ALL of the people I recognized could be found in my email in some form (I found nearly 30). Conversely, all of these people also had my email as well. Within hours, I was convinced that I was originally correct in *not* having a Facebook page at all and it was removed. Convince me I’m wrong, I dare you.
I believe it would be impossible to convince you otherwise, even if presented with incontrovertible proof.
this could very well be coming from other peoples email accounts perhaps from people who even tried to add you on facebook.
Your friends obviously synchronized their phone/gmail contacts with Facebook and therefore Facebook recognized the connection when you signed up with the same email address that your friends use to communicate with you.
Facebook cannot access your Outlook.
Actually it’s because all those friends of yours send YOU emails and Facebook has their contact list stored for whatever reason. So when you go to create a new FB account using that same account their other FB users send stuff to… FB is all like, oh hey, here’s all your friends you can add. still creepy as hell
It’s been like this for YEARS. Surprised security researchers are just getting around to it…
Interesting to know thanks for the information naked security
You’re welcome!
Lets be Honest here Facebook is just the tip of the iceberg!
What with the NSA in the USA and UK capturing all the worlds traffic then Facebook seem rather insignificant in the big picture.
Well, yes, the iceberg is pretty darn big. But that doesn’t preclude us covering one of its tips—particularly when it comes to a platform such as Facebook, on which people tend to reveal quite a bit of personal information. If you want to get a handle on who’s doing what with your personal data, I would suggest that you really can’t pay attention only to the NSA and other government surveillance programs. You’ve got to also be aware at privacy features from services such as Facebook.
Further more… I truly can understand the anger at the NSA for their practices, but I don’t here anyone blaming themselves for “giving” away information to Facebook and other social media sites. Lisa, I’d like to see an article on how Spokeo gets the information it has… or how using all of those “free” services online basically amounts to giving away everything that you think is secret… and lets not even get started on Google.
Interesting idea for an article, wrap2tyt, thank you. It seems obvious, though, that we’re trading our personal data for “free” services, no? Is there really anybody out there who doesn’t know that by now? Oh, and please, feel free to get started on Google. 😉
I don’t think the NSA is selling your personal information for profit… but Facebook is…
Yes it is true. Also please take a look at the timeline issue. Mine is set to only friends yet it is being made public. I know because a friend of mine just signed up for Facebook and when she looked me up, not yet being a friend she was able to look at my timeline, friends and photos. Reported it to facebook twice and got no answer.
It was really informative Lisa .. thanks for sharing
You’re welcome!
Scary thought. With all the major Social platforms feeding information to the NSA and government, this doesn’t surprise me. The number of times Facebook is insane. They just won’t let you go!
I think it really boils down to this. If you want privacy. Don’t use the internet as a method for networking.
You should be able to keep in touch with family and friends on the most popular social networking site while expecting a level of privacy. Saying ‘don’t use the internet’ is very dumb.
There are a lot of ways to keep in touch without use of the internet…..If it’s privacy that you want or worry that much about why take the chance at all!!?? To me Privacy and Facebook do not go hand and hand!! What the hell kind of “secrets” does everyone have that they are so concerned about, atleast things that they would put on Facebook in the first place! Lol
I’m ready to deactivate my account like so many people have done.
If you’re willing to deactivate your account, then it means you don’t care for the social connection or for people to contact you that way. If so, then why do you have an account in the first place?!? Any why did you bother to put any personally identifiable information in it in the first place (as compared to blank fields or made up info)?
‘Cause sometimes you’ve just had enough.
I used to have an FB account, up until about two, two and a half years ago. Then I deleted it and never looked back. I figured email was a nicer, more connected way to communicate. Apparently (as we know now) email isn’t secure either.
But alteast *anyone* cannot access my email, so there’s that. There is always a line for people beyond which they are no longer accepting the terms and conditions of a particular service, no matter how useful that service is. Looks like that line has been crossed for the dude above you.
If you have a lot of pictures, contacts and other information there… you’d better start now and don’t forget to get the instruction to let you “Really” remove the page versus just “suspending it, you may think you’re deleting it but… not really.
ready? really? then why don’t you do it?
It seems to me that anonymity is a thing of the past now, gone are the days of the internet being a cool new thing. now its just a tool for product marketing and social surveillance.
i agree with Anonymous. anytime you find a good thing the only way it will remain special requires that one keep silent about it. once it gets “found out” by the general public you can kiss your novel, “hip” new hang out, hobby, person or other _______ [insert noun of your own choice HERE} Goodbye! it’s sad how money and commercialism always seems to win out. i guess it boils down to human nature and our inability to keep anything interesting to ourselves and for it to remain PRIVATE and/or OFF LIMITS; therefore, on the internet you are fooling yourself if you think it can be done
I once made a fake FB account for testing purposes. I used private browsing in order to avoid having to log out of my real FB account. The two accounts never became friends or shared anything. The email address can not be tracked to me as well.
Yet every week, this email account receives an email with friend suggestions. I know about 75% of those people. With some of them , I’m not even friends on FB with my real account.
So…… you can no longer hide from search, you’re supposed to use your real name, and now anyone can harvest your friends list. Sounds like a recipe for stalking/phishing/spying/harassment. Anyone who needs the slightest bit of OPSEC in their life really has no choice but to avoid social media altogether….
I’ve discovered this exact vulnerability (it is really a vulnerability, since you even see friendships when both people have set their friends list to “only me”) about a year ago and sent Facebook the description to their white hat program. Their response was more or less “won’t fix, no security issue”. But it’s kind of funny to see a public blog post about this issue now, maybe this creates some pressure.
And people still use it. I don’t get it.
This was the line, for me. I already had someone stalk me back to my locked down Facebook via a 100×100 GIS reverse search. Closed it today (and I have to wait 14 days). Dirtbags.
Where I agree, if a company (in this case FB) says that a particular service is handled in a particular way (in this case privacy), then it needs to deliver that. Anything else is not only unethical, but really seems like it’s breaching a law somewhere.
But at the same time, people need to take responsibility for themselves as well. If there’s something you don’t want other people to know, don’t put it on the internet…