infoTECH Feature

November 25, 2013

Facebook Friends List Set as Private is Not So Private, Finds Quotium's Research

The debate on vulnerabilities of Facebook (News - Alert), the popular social networking service, has caught up yet again, with a new research finding citing that attackers/hackers can see users’ friends list defined as ‘Private.’

Man is a social animal. This verity has provided fair market share for social networking services - which has enabled individuals to socially interact over the Internet - to flourish. These social networking services are like reservoirs of its users’ personal information.

Due to few individuals who are engaged in undesirable online social activities, such as attackers/hackers, the personal information of users is at stake. The question here is - ‘How are the social networking services tackling them?’

Recently, the social networking service giant, Facebook, announced new policies to enhance its user’s experience. This has raised concerns with regard to privacy and has attracted many critics too.

Even though Facebook cites that it has worked on privacy controls, vulnerabilities have been detected.

Irene Abezgauz, vice president of product management and leader at Quotium Seeker Research Center, an organization specializing in interactive application security testing (IAST), discovered a security flaw in Facebook’s privacy controls.

According to Irene Abezgauz’s findings, the new ‘People You May Know’ feature on Facebook has facilitated many attackers to see the ‘friends list’ of any user on Facebook. This violates user-chosen privacy controls.

For those unaware, the ‘People You May Know’ is a new mechanism by which Facebook suggests new friends to users. This mechanism helps attackers/hackers to find as many profiles as possible; despite users setting their friends list as private.

First, an attacker creates a new account on Facebook and sends a friend request to the victim. Once the request is sent, Facebook starts suggesting the attacker about the people he/she may know, irrespective of whether the victim has accepted the friend’s request or has declined or has set his/her friends list as ‘Private.’

Irene Abezgauz’s research found that the users’ private data, which is supposedly not publicly available to any user who is not a friend of the victim, is now available to anyone, even though no interactions took place between the attacker and the victim, except for sending of friend request.

Responding to this finding, Facebook cited in a statement, "If you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list."

Nevertheless, Irene’s research has shown that most of the friends list is available to the attacker. This might lead to identity theft or online abuse, which is a greater concern among individuals. In any case, availability of even a partial friends list is a violation of user-chosen privacy controls.

The big question still remains: How will Facebook handle this vulnerability? 

Edited by Cassandra Tucker

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers