Edit: To clarify my standpoint I tested this on a friend of mine (person A), that hides his friendslist from everyone but his closest friends.
It just happens that I also befriended the persons best friend (person B), and therefore I tried to get the mutual friends between person A and B. What I received were 38 mutual friends, even though I can only see one mutual friend between myself person A.
That is clearly information that person A didn't intend to share with me, therefore there has to be a bug or stupidity on Facebooks side involved to uncover this information to me.
And given that FB has a history of just changing the default security for things without telling anyone, or making the defaults fully open/public, this is a little worrying!
It wouldn't fix everything, but it would mean you at least need to befriend someone in their network before being able to use this attack.
What I have a problem with is that they gave users a tool to manage and hide certain connections, even though anyone could potentially circumvent that.
My position is that the service should work as expected.
Either you give your users the means to hide connections, and consequently prevent hacks like this, or you remove that feature and every user will know that this information is public to all your friends.
Everything in between is just wrong, because it breaks your users expectations, you've got to be clear about what your service does.
Also, I want to be clear that I don't think that Facebook is intentionally doing something evil, it's just a big corporation with lots of different people making decisions. That could happen anywhere.
And the answer is "anybody" - if they just take a minimal amount of time and effort to piece it together.
The setting is giving the sense that the friend list will not be accessible, which is a false implication.
Facebook's use of language is misleading (IMO deliberately), and has significant privacy consequences.
Question for the arm chair lawyers: If he published said friends list could the FB denial of a vulnerability be construed as evidence that he didn't hack them as the functionality is intended and authorized?
>>He was the first person to establish long and meaningful
>>connection with the New World that would eventually tie
>>Europe to the Americas, but it is a misconception that he
>>was the first to “discover” America.
Additional source: http://web.dsbn.edu.on.ca/~William.Randall@dsbn.edu.on.ca/FO...
It might not be an exhaustive list, but it certainly shows a way to circumvent a protection most people think is in place, when they chose "only friends can see my friends list".
In other words, the title is far from "very misleading". This is what that vulnerability allows.
On the other hand, publishing it could get you in trouble if you do it without the person's consent.
Source: armchair lawyer
Yes, it's a public photo. But seeing all tagged public photos in one place is a different thing. These photos are not shown when you click "Photos" on his Timeline: https://www.facebook.com/zuck/photos_all
But OTOH, if you're tagged in a public photo, like this case, I'm not sure what expectation of privacy you should have. You can trivially untag yourself.
I'm surprised there isn't a popular point-and-click Windows GUI for ARP spoofing yet. Something like driftnet but all sorts of data, and with automatic spoofing done.
It has a bunch more features, but with a few clicks you can arp spoof your entire network and start logging passwords.
A - Friends Hidden.
B - Friends Hidden.
A and B are Friends.
C - Not friends with A and B.
if C views mutual between A and B, C sees only the list of mutual friends between A and B whose friends lists are open.
i.e. if the list shows D and E.
D - Friends should be viewable to everyone.
E - Friends should be viewable to everyone.
I just can't imagine they intended to allow strangers to view the mutual friends of anyone, so the person that responded to this bug report probably didn't understand it, or is clueless, because the way this feature should work is obvious.
Just allow to view the mutual friends between yourself and your friends.
The current behaviour allows you to uncover mutual friends between person A that has all connections hidden, and another person B that does not.
There's no way that I could know which specific friends of person B are also on the friendslist of person A just by looking at person Bs friendslist.
I also tested that "hack" with one of my friends that has all connections hidden. (I only see 1 mutual friend and no other friends)
The result was that I could see 38 mutual friends between him a the mutual friend I have with him.
And yes, that's what I meant. English is not my native language.
Facebook is always biased towards sharing information, instead of respecting privacy. They also apparently don't have the technical ability to keep private things private, as shown by the multiple leaks of Zuckerberg's information. When was the last time that Larry Page's gmail was hacked?
In any case, I disagree with your point. I think if either party makes the friendship private, it should be private.
This can often result in injury or death to the person who typically has a good reason for keeping their relationship secret.
Surely at some point we need to revisit the word "privacy". The expectation that one can keep secret our links to people when posting those links onto any "public" forum must surely be disabused in our brave new world - our expectations do not fit the economics of reality anymore.
What? Facebook sold something as private but its not.
>> The expectation that one can keep secret our links to people when posting those links onto any "public" forum
Facebook told me it was private...
Mike Matas joined Facebook a few days ago (incorrect! see bottom), before that he founded Push Pop Press (digital publishing company). For some time he worked at Apple designing new interfaces (presumably iOS7) for iOS and MAC. He was also de founder of Delicious Monster, the makers of Delicious Library, which interface was later copied (inspired?) iBooks from Apple.
Being Mike one of the +400 friends of Zuck and also working at Facebook, I wonder if they where real-friends before being aqui-hired. Or maybe its Zuck adding him as facebook-friends a way of welcoming Mike to the company.
EDIT:PushPopPress was acquired by Facebook 3 years ago, not a few days ago. http://pushpoppress.com/about/
Of course, you'd think that'd encourage him to pressure devs to change this "feature"...
Facebook employees don't have to follow the real names policy? https://www.facebook.com/help/292517374180078
If you want 100% control, Facebook is not for you.
If you give them your data, you should have little expectation of privacy. Privacy, otherwise known as "doing the kabuki dance of selling me to advertisers while making me feel like I am in control."
Yes, it makes zero sense that this is the only privacy setting outside of the whole privacy tab in the account settings.
I can see 61 mutual friends, who are Mark's friends.