

Facebook Privacy Bugs w/ New Design - psyklic
http://www.techcrunch.com/2009/03/20/facebook-bug-reveals-private-photos-wall-posts/

======
markm
This bug has been around for at least 6 months, ever since just after the last
major Facebook Profile redesign that moved profiles towards the 'Boxed'
design.

For me, the bug lasted for at least an hour, or at least enough time for me to
notice the bug, re-create a few friends lists, and browse a couple profiles.
The next day when I logged on things were completely back to normal - AND my
old friend lists had been restored.

One of the first things I noticed was that my friends lists had been deleted -
and subsequently they no longer applied to photos privacy settings.
Unfortunately I don't remember how or why I noticed this, maybe it was part of
the exploratory feeling you get when something gets deactivated for a week and
you want to make sure everything is OK.

The situatation also applied to my friends whose friends lists I was on. For
example, if my friends didn't allow anyone to see tagged photos, I couldn't
see their photos. But if my friend had just not allowed their 'Work friends'
list to see their photos, and I was a Work friend, I could see their photos
because my account no longer appeared under their friends lists entitled 'Work
friends' - at least that's what I presume to have happened.

I do not recall if this affected the Networks as well. I don't recall if I was
able to see normally private photos from strangers in other regional, high
school or University networks. If it did, I probably would have a recollection
of it because I did do some experimenting to see how far the bug extended.

Did I find any steamy secrets? Yes, in the form of insights into the nature of
the human spirit and desire for privacy. And no, in regards to the
underwhelming nature of photos. I should probably hang around in more exciting
circles.

------
jkincaid
Actually I'm not sure this had anything to do with the new design. It may have
been coincidence that the bug was found now (I'll try to find out).

------
ErrantX
This is just the tip of the iceberg. I've been picking at the new design for
nearly a week and there is a host of security flaws and loopholes left there.

(up your privacy settings if you want to remain private!)

------
psyklic
Why are they storing whose info I have access to see inside MY profile data
and not within the profile data of the other user?

~~~
philh
That's not necessarily what's happening. Another plausible explanation is that
when you deactivate your account, you're removed from various lists in the
profile data of all your friends. When you activate it again, you aren't put
back on the list until a regularly scheduled task runs (or until data
propogates through the servers?). So if one of the lists is "deny from seeing
these photos", you get to see them until that happens.

