
Facebook reveals friends list even when it’s set to private - ohjeez
http://nakedsecurity.sophos.com/2013/11/25/facebook-reveals-friends-list-even-when-its-set-to-private/
======
wreegab
Also, sophos.com revealed to facebook.com, through an iframe, that I went and
read an article on sophos.com about a facebook.com's vulnerability.

------
crbnw00ts
It's long past time for Facebook to simply stop using the words "private" and
"delete" on any of their pages, because they obviously don't mean it whenever
they use them.

------
rgj
I once made a fake FB account for testing purposes. I used private browsing in
order to avoid having to log out of my real FB account. The two accounts never
became friends or shared anything. The fake account does not have friends at
all. The email address can not be tracked to me as well.

Yet every week, this email account receives an email with friend suggestions.
I know about 75% of those people. With some of them , I'm not even friends on
FB with my real account.

~~~
nick2
Nothing strange about this. They see that both accounts are accessed from the
same ip, so they assume you must know each other.

~~~
pera
Maybe it's not strange, but it sucks from a privacy PoV: if you can register
an account with somebody else ip address you will know who are their circle of
friends, even if the person opted for having the friend list hidden from
everyone.

------
RexRollman
I think Facebook should just stop playing games and state that nothing will be
private with the exception of personal messages. At least then everyone will
know what to expect.

~~~
nilved
As if personal messages are private!

~~~
haversine
In what way are they not private?

~~~
wmeredith
Have you heard of the NSA? I think it's pretty safe to say at this point that
NOTHING online is private.

~~~
judk
Accidentally upvoted. NSA getting everything is not the same as everyone
getting everything. NSA doesn't share with my mom.

~~~
lazyjones
Privacy doesn't mean "not everyone is getting everything". If FB shares my
secrets with anyone without my consent, they're violoating my privacy. They
don't need to make them available to _everyone_ for that.

------
kirab
I’ve discovered this exact vulnerability (it is really a vulnerability, since
you even see friendships when both people have set their friends list to "only
me") about a year ago and sent Facebook the description to their white hat
program. Their response was more or less "won’t fix, no security issue". But
it’s kind of funny to see a public blog post about this issue now, maybe this
creates some pressure.

------
phwd
The friend list issue seems to be an always "won't fix". I'm pretty sure every
few or so security researchers, testers reach this "vulnerability" in one
method or another. I've gotten a similar response from the Security Team for
trying to dig up friend lists. Maybe it helps maybe it doesn't. I've learned
to accept the stance and move on with other security holes.

"A friend connection is two-way - you friend someone, then they approve the
friend request. In essence, a friend connection means both "Philippe considers
John a friend" and "John considers Philippe a friend". In other words, both
people involved have some ownership over this claim - which means the privacy
isn't always as simple as with other content."

"Let me use the third example in your screenshots to illustrate. Mark
Zuckerberg's friend list is not public. But Greg Golkin's friend list is
public - meaning if you pull up Greg's friends, you can see Mark in the list.
You can also see Kevin Scott is in the list. Kevin's friend list isn't
public... but Stuart Gillette's is, so you can see Kevin show up there.
Consequently, using fb:degrees hasn't shown you any information you couldn't
theoretically figure out by looking at public friend lists - it's just made it
easier to find that info."

"Now I that at first glance this might appear to be inconsistent or a privacy
violation. But remember what I said earlier about the two parties involved in
a friendship connection. Essentially, you're free to hide the fact that you
consider John a friend, but it's also John's choice to publicize that he
counts you as a friend - and hiding connections he's publicized would
essentially override his privacy wishes. In some cases, such as with
fb:degrees, we show connections if they're visible to you on at least one side
of the friendship."

"Now, if Mark's list is private and all of his friends set their lists to
private too, you should never get a result using fb:degrees. In that case, any
final link in the chain connecting you to Mark would involve a friendship that
was hidden to you from both sides of the connection, so we wouldn't display it
to you."

"A common case where we get similar reports is the "friendship page" between
two people - we show mutual friends of the two people if each of the two
friend connections is visible to you on at least one side, but we hide any
mutual friends where one of the connections is hidden on both sides. To help
clarify some of these situations, we added this description to the friend list
privacy setting: "Remember: Your friends control who can see their friendships
on their own timelines. If people can see your friendship on another timeline,
they'll be able to see it in news feed, search and other places on Facebook.
They'll also be able to see mutual friends on your timeline."

This is a case where privacy can get complicated, but we think the way we've
chosen to operate is a good balance of the competing priorities involved.
We've also chosen to focus more on privacy controls around your content and
personal information, since trying to maintain privacy by limiting
discoverability is often an illusion. Since Facebook is a network designed for
social participation, it's nearly impossible for it to work properly and let
people stay completely hidden - there are many ways to discover a profile or
friendship beyond friend lists or searches. But even if someone discovers your
profile, you have a great degree of control about what they can then access.

I hope that helps clarify what you were observing here. Emrakul was also
correct that we have rate limiting to prevent brute-forcing at scale, and
given the above controls, even building up a list through iterations would
never allow you to know for sure if you'd acquired the entire hidden friend
list. I think our current setup is working as intended here, but definitely
let us know if you think the controls I described can be overridden somehow."

~~~
Pxtl
Obviously there will be a contention when you have an asset that is shared and
they flag it in a different way... and on a certain level it makes sense that
"public" wins when you have 1 public and 1 private because if _one_ person
chooses to share anything else then it's public, so why should connections be
different?

But on another level, no.

If a person has decided their connections are private information, then the
implication is pretty strong that they could expect that to be private
_completely_. Otherwise I would expect a warning of some-kind on my "private"
connections that are actually public because the other end is public. They are
completely violating the user's expectation and the described functionality of
that option.

~~~
msg
Right, when preferences are in conflict do you protect the person who cares or
the person who doesn't?

Also privacy is like a thermodynamic arrow. You can't unspread a secret or
make public information private. So you shouldn't treat the decision to go
public lightly.

~~~
saraid216
> Also privacy is like a thermodynamic arrow.

Running off on a tangent, that's a really interesting analogy. I wonder how
much could be done with the notion that privacy is the opposite of entropy:
that is, privacy is about minimizing the arrangements of how your information
is formed, and there's a universal, inevitable trend towards maximizing those
arrangements. Differently, privacy as the _predictability_ of how a piece of
information moves: as entropy, or publicity, increases the predictability of
the information becomes less as its possibility space increases.

~~~
msg
This notion makes sense to me. The more public or quotidian your thoughts and
behavior, the greater chance that people will be able to nail you down. And
there are interesting feedback loops when you go public, then people expect
you to continue to be public in similar situations.

There is an interesting tension between the benefits of collaboration and the
benefits of individuality. John Lennon and Paul McCartney playing off each
other, or Andrew Wiles working alone in obscurity.

Surprise and disruption are closely linked to privacy in my mind. Not
necessarily by launch time. But the groundwork for originality to me is laid
in the soil of a rich inner life.

------
nilved
You can also view a list of someone's friends by trying to recover their
password. I reported it to their security team months ago and didn't get a
response.

------
gburt
I reported this bug two weeks ago and they have not responded. This is the
second time I've submitted a security bug and got nothing back...

~~~
Devko
Someone of our team reported it some time ago too. We got a won't fix reply

------
mahyarm
I think you just have to accept that facebook, in general, has a 'share to a
wide audience' as a default design stance. That stances enhances general
viriality and usage of their program and thus increases their user base.

Same with never deleting anything, recording everything you do with like
buttons around the internet and making it difficult to do such things as
'delete everything older than 3 months' with one click. Storage is cheap and
the more information they have, the more valuable their product is to their
customers, marketing firms.

Have a locked down by default stance just decreases the virality of their
social product. The amount they piss off is smaller than the amount they gain
unfortunately.

------
anaphor
The article mentions the NSA, but if you don't think this can be used by
anyone (not just people with huge botnets or databases like the NSA) then
you'd be wrong as well. Consider trying to find the address of a person that
you only know the facebook account of, but their name isn't listed in the
phonebook. If you can see their friends list then it's fairly likely that it
might have familiy members or housemates on it who _are_ listed. This is just
one way of using the friends list. So it's a huge privacy issue that someone's
friends list is exposed because anyone can use that information to figure out
things about the person.

------
babuskov
FB should've really kept the initial idea of a public worldwide friend-graph
and build a special website for people who want to hang out in private (or let
someone else build it).

~~~
lelandbatey
Yeah, I think that's one of the chief reasons I and others disagree about
privacy and Facebook, a mis-match between views of what Facebook is or should
be.

I see Facebook as a super-public platform for sharing your life, and that's
how I've always thought of it. It's why I've had a hard time understanding how
people can debate "privacy on Facebook" in the first place: I've felt there
was nothing to debate.

------
subsection1h
I have a pseudonymous Facebook account that I use to access two private
groups. My friends list is empty, which is nice. (It would be nicer if I
didn't have an account and the people in the two private groups would check
their email as often as they check Facebook so that we could use mailing lists
instead of Facebook groups.)

------
l0stb0y
Maybe Sophos should spend more time fixing their lousy software instead? As
for security, you won't find it on FB.

------
harsh1618
The same is true for the profile picture which is always public even if you
set the privacy settings to 'only me'. Opening the thumbnail in the browser
and changing the image size in the URL lets you view a full size image. Wonder
why they even give you the privacy option there.

------
CurtHagenlocher
So is this why I get random spam for which the name on the from address
matches various Facebook friends?

------
confluence
In other news, clear incentive structures predict the future actions of
companies.

FB makes money when they receive data created when people interact. Anything
that limits this interaction, will eventually disappear. Take this reasoning
to the limit, and everything will be made public.

------
pattt
1) Create a completely new zero account with no connections.

2) Send a friend request to a user whose "private" friends you want to see.

3) Immediately withdraw your friend request.

4) See the "people you might know" list, voilà.

(at least it used to work for me about a year ago when i was looking for one
girl)

------
leoedin
The article concludes with:

> I agree with Abezgauz on this issue: Facebook has no right to siphon our
> friends off of a list putatively set to be private.

Now it strikes me that Facebook does have that right. You gave them that right
when you chose to create an account with them and chose to make friend
connections with that account. If you don't like the way they operate, don't
use their service. You'd have to live in a vacuum not to know that Facebook
has been consistently pushing the envelope of acceptable privacy for years.
The reality is that if you truly _need_ complete privacy, a Facebook account
is not for you.

~~~
ronaldx
> You'd have to live in a vacuum not to know that Facebook has been
> consistently pushing the envelope of acceptable privacy for years

Facebook opened with and developed a following on the strength of unusually
strong privacy settings.

Expectation-of-no-privacy, if that is an argument, can't apply to people who
opened Facebook accounts under those circumstances.

------
jms703
Silly article. Why should Facebook fix anything here? Facebook is making
billions of dollars the way it is. Facebook is a social networking site, not a
private networking site. No one will get a reply to this because it's
pointless. What you're asking for goes against the whole point of Facebook.
Move on.

~~~
aroman
Okay, if that were the case, why would Facebook even have an option to make
your friends list private?

There's nothing pointless about taking issue with "features" and options that
don't do what they're purporting to do.

------
incompatible
I think you can do it even without creating a fake account. The "People you
may know" page seems to comprehensively list all of your friends' friends. All
you'd need is some scraper software to build it into a better organised list.

------
perlpimp
man this privacy thing is a one nasty can of worms. they should've either kept
it completely private or just public.

frankly if you are an extremely private person you shouldn't be using 'the
facebook' but use email instead. few of my friends do just that.

regardless i think this is non-news-worthy article, facebook had this thing
for a while and everyone here knows about that IMO.

my 2c

------
brosco45
They trust me.

