Facebook reveals friends list even when it’s set to private

Facebook reveals friends list even when it's set to private

Don’t want the entire Facebook-using and -abusing population to see your friends list?

You can always change the setting to private – a setting labeled, for some strange reason, “only me”, chosen in response to the “who can see your friends list?” setting.

Fat lot of good it will do you, though.

Irene Abezgauz, a vice president of product management at the security software company Quotium, has discovered a way for any casual visitor, stranger, stalker or troll to see friend lists that their users have set to be private, and that includes any friends who’ve also set their lists to be private.


To access anybody’s friend list, all someone has to do is to create a fake Facebook account and send a friend request to his or her target.

Even if the targeted Facebook user doesn’t respond to the friend request, they’ll get to see a list of his or her friends, courtesy of Facebook’s People You May Know feature.

According to VentureBeat, Abezgauz revealed the vulnerability at the recent AppSec USA 2013 security conference in New York.

Abezgauz told VentureBeat that Facebook’s playing fast and loose with this on-again, off-again approach to privacy:

It’s all about privacy and people trusting that Facebook is making the best effort to protect the privacy of users. … It’s not about protecting the privacy of users as long as it stays out of the way of Facebook growing and expanding.

Facebook’s People You May Know feature, introduced in 2008, helps people discover new connections, be they long-forgotten school chums or colleagues.

It both helps people to build out their Facebook networks and enables Facebook to build a treasure trove of valuable data about us and the people with whom we associate.

(That daisy-chaining analysis, of course, enables people like NSA agents to pull the communications of innocent people into far-reaching surveillance dragnets that snare friends of friends of actual targets, as was shown in recently revealed documents from whistleblower Edward Snowden.)

To exploit the privacy hole, an attacker creates a new user account on Facebook and sends a friend request to the victim.

Even if the intended victim declines the request, Facebook begins to suggest to the attacker people he or she may know, with the option of clicking a “see all” button for convenience.

The people suggested in that list are friends of the target who received the friend request, even when the friends list of the victim is set to private and the other suggested users also have their friends list set to private.

When Abezgauz brought the privacy issue to Facebook’s attention, it replied that No, everything’s fine, given that you don’t know if the suggested friends represent someone’s complete friend list:

If you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list.

But Abezgauz writes that research has shown that most of the friends list – which often includes hundreds of friends – is available to the attacker.

“In any case,” the researcher said, “even a partial friends list is a violation of user-chosen privacy controls.”

I checked with Facebook to see if private friend lists were still being pushed into People You May Know feeds. A spokesperson got back to me, and it doesn’t look like Facebook is planning to change anything any time soon:

Our policies explain that changing the visibility of people on your friend list controls how they appear on your Timeline, and that your friends may be visible on other parts of the site, such as in News Feed, Search and on other people's Timelines. This behavior is something we'll continue to evaluate to make sure we're providing clarity.

Is Facebook privacy only an illusion, designed to lull us into sharing more than we would if we knew what the company really did with our data?

I agree with Abezgauz on this issue: Facebook has no right to siphon our friends off of a list putatively set to be private.

Hands off, Facebook, and please, fix this privacy hole.

Screenshot courtesy of Flickr user FactoryJoe.