

Facebook Hidden Friends Vulnerability? - ccINR
http://blog.cyberint.com/2014/05/facebook-hidden-friends-vulnerability.html
The vulnerability allows attackers to discover (more precisely: reconstruct) the private Friends List of any Facebook user.
======
jonchang
People have been writing about variations on the so-called "mutual friends
vulnerability" for years and years now. Facebook's response has always been
the same. You can control what people see on your own profile, but you cannot
control what people see on your friends' profiles. Just as if you write on
your friend's wall, revealing the fact that you are friends with that person,
simply being friends with that person will also reveal to people who can see
that friend's profile that the two of you are connected. The name of the
setting is "Who can see my friend list", not "Who can see me on my friends'
friend list", nor is it "Conceal all links to my profile from my friends'
profiles."

~~~
DominikR
It does reveal to the person you have mutual friends with, who those mutual
friends are, but I just can't see an obvious reason why this additional
information should be broadcasted to everyone, even persons that are strangers
to you and the person you share part of your friendslist with.

Edit: To clarify my standpoint I tested this on a friend of mine (person A),
that hides his friendslist from everyone but his closest friends.

It just happens that I also befriended the persons best friend (person B), and
therefore I tried to get the mutual friends between person A and B. What I
received were 38 mutual friends, even though I can only see one mutual friend
between myself person A.

That is clearly information that person A didn't intend to share with me,
therefore there has to be a bug or stupidity on Facebooks side involved to
uncover this information to me.

~~~
kamjam
Even from the example link the post gives, I am neither friends with Mark
Zuckerberg (who has a private list) nor Chris Hughes (who has a public friends
list). In this instance I have not had to befriend anyone!

[https://www.facebook.com/zuck/friends?and=ChrisHughes](https://www.facebook.com/zuck/friends?and=ChrisHughes)

And given that FB has a history of just changing the default security for
things without telling anyone, or making the defaults fully open/public, this
is a little worrying!

~~~
thefreeman
It seems like this could be pretty easily fixed by just not allowing arbitrary
usernames in the "and" parameter and instead using the currently logged in
user.

It wouldn't fix everything, but it would mean you at least need to befriend
someone in their network before being able to use this attack.

------
fleitz
The title seems very misleading, his friends list hasn't actually been
discovered, but rather a method that could discover parts of it.

Question for the arm chair lawyers: If he published said friends list could
the FB denial of a vulnerability be construed as evidence that he didn't hack
them as the functionality is intended and authorized?

~~~
kubiiii
HN, 1492. Christopher Columbus discovers America. HN user comment : pretty
misleading title, large parts of America are most probably not discovered yet.
Joke aside, I've seen far worse titles than this one.

~~~
a1a
To be fair it would really be misleading as he wasn't the one who "discovered"
America.

>>He was the first person to establish long and meaningful

>>connection with the New World that would eventually tie

>>Europe to the Americas, but it is a misconception that he

>>was the first to “discover” America.

[http://sites.psu.edu/mmancini/2012/09/08/1-columbus-was-
the-...](http://sites.psu.edu/mmancini/2012/09/08/1-columbus-was-the-first-a-
misconception/)

Additional source:
[http://web.dsbn.edu.on.ca/~William.Randall@dsbn.edu.on.ca/FO...](http://web.dsbn.edu.on.ca/~William.Randall@dsbn.edu.on.ca/FOV1-00141BFF/FOV1-00151235/Vikings%20%231.pdf)

~~~
kamjam
To be really fair, Columbus was searching for India when he first discovered
America so I doubt he even knew what he had stumbled upon

~~~
dragonwriter
IIRC, he continuously _insisted_ that he had reached the ("East", as we now
know them as a result of him being wrong) Indies, in fact.

------
currysausage
This: [https://www.facebook.com/search/4/photos-
of](https://www.facebook.com/search/4/photos-of) is also quite interesting.
Did Zuck really want us to see this?
[https://www.facebook.com/photo.php?fbid=914230961663](https://www.facebook.com/photo.php?fbid=914230961663)

Yes, it's a public photo. But seeing all tagged public photos in one place is
a different thing. These photos are not shown when you click "Photos" on his
Timeline:
[https://www.facebook.com/zuck/photos_all](https://www.facebook.com/zuck/photos_all)

~~~
smackfu
That's interesting. For your friends, there is a "Photos of <friend>" item on
their photos page, but for non-friends it doesn't show.

But OTOH, if you're tagged in a public photo, like this case, I'm not sure
what expectation of privacy you should have. You can trivially untag yourself.

------
petercooper
Well all I discovered is I have 0 mutual friends with Mark Zuckerberg, so now
I feel even less important than usual, lol.

~~~
visakanv
You are important to somebody, Peter!

~~~
petercooper
Group hug!

~~~
Kliment
That and you should be happy you do not share "friends" with an antisocial
network operator that has an active neglect of other people's privacy.

~~~
rhizome
Take that, Zuck!

------
ape4
Once this exploit has a logo and a GUI then it becomes serious.

~~~
coolandsmartrr
Reminds me of Firesheep. Simple side-jacking implemented as a Firefox
extension with a real simple GUI. I recall that this prompted so many websites
to migrate to HTTPS.

~~~
meowface
It wasn't just a GUI, it was even a browser extension.

I'm surprised there isn't a popular point-and-click Windows GUI for ARP
spoofing yet. Something like driftnet but all sorts of data, and with
automatic spoofing done.

~~~
tokenizerrr
There is, and I've used it yeaaaars ago. It's called Cain & Abel and you can
find it at [http://www.oxid.it/cain.html](http://www.oxid.it/cain.html)

It has a bunch more features, but with a few clicks you can arp spoof your
entire network and start logging passwords.

~~~
meowface
I've used Cain & Abel before long, long ago. It's pretty close to what I'm
talking about, but I was thinking more of something revamped to be pretty and
user friendly even to someone who has no idea what ARP is or what "spoof"
means.

------
casouniquo
There are certain conditions to be met.

A - Friends Hidden. B - Friends Hidden. A and B are Friends. C - Not friends
with A and B.

if C views mutual between A and B, C sees only the list of mutual friends
between A and B whose friends lists are open.

i.e. if the list shows D and E.

D - Friends should be viewable to everyone. E - Friends should be viewable to
everyone.

------
DominikR
It is beyond me why Facebook would not consider this a privacy issue, if not a
bug.

I just can't imagine they intended to allow strangers to view the mutual
friends of anyone, so the person that responded to this bug report probably
didn't understand it, or is clueless, because the way this feature should work
is obvious.

Just allow to view the mutual friends between yourself and your friends.

~~~
okamiueru
Between yourself and anyone, I assume you meant. If not-your-fb-friends make
their friends list public, I don't see why you shouldn't be able cross
reference that.

~~~
DominikR
Like I stated in a comment above:

The current behaviour allows you to uncover mutual friends between person A
that has all connections hidden, and another person B that does not.

There's no way that I could know which specific friends of person B are also
on the friendslist of person A just by looking at person Bs friendslist.

I also tested that "hack" with one of my friends that has all connections
hidden. (I only see 1 mutual friend and no other friends)

The result was that I could see 38 mutual friends between him a the mutual
friend I have with him.

And yes, that's what I meant. English is not my native language.

------
homakov
This is an issue - private friends should not have you as "public" friend in
their friend list. It makes it not private.

~~~
unreal37
With friendship, there are two people involved. One person can't demand the
friendship be private if the other disagrees. If one person makes it public,
it's public. It works that way in real life too.

~~~
tfinniga
"Tell you what, we both go to the same summer camp, so we can be camp friends.
But if I see you at school, I won't admit that we are friends. If you try to
bring it up, I'll deny it."

Facebook is always biased towards sharing information, instead of respecting
privacy. They also apparently don't have the technical ability to keep private
things private, as shown by the multiple leaks of Zuckerberg's information.
When was the last time that Larry Page's gmail was hacked?

In any case, I disagree with your point. I think if either party makes the
friendship private, it should be private.

~~~
afarrell
Your example seems contrived. I didn't have friends as a kid, so I don't
really know, but that seems like an unusual arrangement. At the very least, it
requires you to do it explicitly.

------
lifeisstillgood
The problem here is Wittgenstein in nature - not some flaw in Facebooks
security but a misunderstanding of the word "privacy".

Surely at some point we need to revisit the word "privacy". The _expectation_
that one can keep secret our links to people when posting those links onto any
"public" forum must surely be disabused in our brave new world - our
expectations do not fit the economics of reality anymore.

~~~
frozenport
>>misunderstanding of the word "privacy".

What? Facebook sold something as private but its not.

>> The expectation that one can keep secret our links to people when posting
those links onto any "public" forum

Facebook told me it was private...

~~~
lifeisstillgood
but privacy is not a "thing". it's not real, they can't sell it in the same
way they can't tell you it's secure.

------
dang
We changed the title because "Mark Zuckerberg's private friends list
discovered" is shameless linkbait and added a question mark because the nature
of this vulnerability is in dispute.

------
soci
I saw the interface designer Mike Matas was in the list.

Mike Matas joined Facebook _a few days ago_ (incorrect! see bottom), before
that he founded Push Pop Press (digital publishing company). For some time he
worked at Apple designing new interfaces (presumably iOS7) for iOS and MAC. He
was also de founder of Delicious Monster, the makers of Delicious Library,
which interface was later copied (inspired?) iBooks from Apple.

Being Mike one of the +400 friends of Zuck and also working at Facebook, I
wonder if they where real-friends before being aqui-hired. Or maybe its Zuck
adding him as facebook-friends a way of welcoming Mike to the company.

EDIT:PushPopPress was acquired by Facebook 3 years ago, not a few days ago.
[http://pushpoppress.com/about/](http://pushpoppress.com/about/)

~~~
muglug
Mike Matas has been at Facebook for almost three years.

~~~
meowface
And now you see why Zuckerberg doesn't want people seeing his friends list.
They'll make speculations and assume certain things without any strong
evidence.

Of course, you'd think that'd encourage him to pressure devs to change this
"feature"...

------
taylorbuley
Interested to see an entry for the name "Boz" among the friends

Facebook employees don't have to follow the real names policy?
[https://www.facebook.com/help/292517374180078](https://www.facebook.com/help/292517374180078)

~~~
ceejayoz
> Nicknames can be used as a first or middle name if they're a variation of
> your real first or last name (like Bob instead of Robert)

[https://en.wikipedia.org/wiki/Boz#People](https://en.wikipedia.org/wiki/Boz#People)

~~~
bostonpete
But in that case, shouldn't he show up as Boz Bosworth?

------
gdilla
Well it is a social network. THe social network, in fact. I would think if you
care about privacy you just wouldn't use it.

~~~
unreal37
Some might think this a glib response, but I've come to the conclusion that
there is no way to use Facebook and keep perfect privacy. You have to allow
other's to interact with you, and their privacy settings combine with yours
for your mutual information. There's no way to keep 100% control of everything
that concerns you.

If you want 100% control, Facebook is not for you.

------
denzil_correa
Since Facebook says this is not a privacy violation, I totally expect Facebook
to not condemn the author of this hack.

~~~
michaelmcmillan
Wrong.
[https://www.facebook.com/apps/site_scraping_tos_terms.php](https://www.facebook.com/apps/site_scraping_tos_terms.php)

~~~
pistle
Yes. The author isn't seeing the ads this way and that's how the value
proposition is created. So yeah, the author should deal with it and watch all
the ads now...

If you give them your data, you should have little expectation of privacy.
Privacy, otherwise known as "doing the kabuki dance of selling me to
advertisers while making me feel like I am in control."

------
sbhere
So don't use facebook.

------
higherpurpose
I bet he wishes he used something a little more private right about now.

------
api
Privacy is obsolete, so I'm sure Mark has no problem with all his private
lists being posted. Right?

------
nostrademons
I wonder how long it'll be before Google uses this to scrape Facebook's social
graph...

------
wiradikusuma
How do I access that "Edit Privacy" dialog shown in the screenshot?

~~~
giovannibajo1
Go to
[https://www.facebook.com/me/friends](https://www.facebook.com/me/friends),
click on the pencil icon, select edit privacy.

Yes, it makes zero sense that this is the only privacy setting outside of the
whole privacy tab in the account settings.

~~~
makomk
There are several things that aren't part of the privacy tab as I recall - the
privacy settings for group membership and various other profile information
are elsewehre thoo.

------
jony65
It's about time that facebook will take privacy seriously!

------
a3voices
Misleading title, I don't see a list of Mark's friends. So it is still
unexposed

~~~
tomp
Did you click on the link:
[https://www.facebook.com/zuck/friends?and=ChrisHughes](https://www.facebook.com/zuck/friends?and=ChrisHughes)

I can see 61 mutual friends, who are Mark's friends.

~~~
user24
114 friends here:
[https://www.facebook.com/zuck/friends?and=aaron](https://www.facebook.com/zuck/friends?and=aaron)

~~~
davej
167 friends:
[https://www.facebook.com/zuck/friends?and=aditya](https://www.facebook.com/zuck/friends?and=aditya)

~~~
yread
You can get a list of their likes too
[https://www.facebook.com/zuck/friends?and=aditya&sk=favorite...](https://www.facebook.com/zuck/friends?and=aditya&sk=favorites)

------
don34
Where can i get the program ?

------
kevinwang
Fun!

