Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Hidden Friends Vulnerability? (cyberint.com)
229 points by ccINR on June 2, 2014 | hide | past | favorite | 79 comments

People have been writing about variations on the so-called "mutual friends vulnerability" for years and years now. Facebook's response has always been the same. You can control what people see on your own profile, but you cannot control what people see on your friends' profiles. Just as if you write on your friend's wall, revealing the fact that you are friends with that person, simply being friends with that person will also reveal to people who can see that friend's profile that the two of you are connected. The name of the setting is "Who can see my friend list", not "Who can see me on my friends' friend list", nor is it "Conceal all links to my profile from my friends' profiles."

It does reveal to the person you have mutual friends with, who those mutual friends are, but I just can't see an obvious reason why this additional information should be broadcasted to everyone, even persons that are strangers to you and the person you share part of your friendslist with.

Edit: To clarify my standpoint I tested this on a friend of mine (person A), that hides his friendslist from everyone but his closest friends.

It just happens that I also befriended the persons best friend (person B), and therefore I tried to get the mutual friends between person A and B. What I received were 38 mutual friends, even though I can only see one mutual friend between myself person A.

That is clearly information that person A didn't intend to share with me, therefore there has to be a bug or stupidity on Facebooks side involved to uncover this information to me.

Even from the example link the post gives, I am neither friends with Mark Zuckerberg (who has a private list) nor Chris Hughes (who has a public friends list). In this instance I have not had to befriend anyone!


And given that FB has a history of just changing the default security for things without telling anyone, or making the defaults fully open/public, this is a little worrying!

It seems like this could be pretty easily fixed by just not allowing arbitrary usernames in the "and" parameter and instead using the currently logged in user.

It wouldn't fix everything, but it would mean you at least need to befriend someone in their network before being able to use this attack.

The goal of Facebook for users is building a social network and on the corporate side leveraging that social network for monetary gains. Mutual friends lowers the barrier to connecting the social graph.

Of course, I understand that perfectly well.

What I have a problem with is that they gave users a tool to manage and hide certain connections, even though anyone could potentially circumvent that.

My position is that the service should work as expected.

Either you give your users the means to hide connections, and consequently prevent hacks like this, or you remove that feature and every user will know that this information is public to all your friends.

Everything in between is just wrong, because it breaks your users expectations, you've got to be clear about what your service does.

Also, I want to be clear that I don't think that Facebook is intentionally doing something evil, it's just a big corporation with lots of different people making decisions. That could happen anywhere.

> The name of the setting is "Who can see my friend list"

And the answer is "anybody" - if they just take a minimal amount of time and effort to piece it together.

The setting is giving the sense that the friend list will not be accessible, which is a false implication.

Facebook's use of language is misleading (IMO deliberately), and has significant privacy consequences.

The name of the setting is "Who can see my friends list?" not "Who can reconstruct my friends list from bits and pieces of other people's information?" With this exceptionally broad interpretation of Facebook's promises, it seems like even if they killed the ability to do this, the fact that somebody can just sit down at a computer that's logged in as you and see your friends list also makes them just as much liars.

The title seems very misleading, his friends list hasn't actually been discovered, but rather a method that could discover parts of it.

Question for the arm chair lawyers: If he published said friends list could the FB denial of a vulnerability be construed as evidence that he didn't hack them as the functionality is intended and authorized?

HN, 1492. Christopher Columbus discovers America. HN user comment : pretty misleading title, large parts of America are most probably not discovered yet. Joke aside, I've seen far worse titles than this one.

To be fair it would really be misleading as he wasn't the one who "discovered" America.

>>He was the first person to establish long and meaningful

>>connection with the New World that would eventually tie

>>Europe to the Americas, but it is a misconception that he

>>was the first to “discover” America.


Additional source: http://web.dsbn.edu.on.ca/~William.Randall@dsbn.edu.on.ca/FO...

To be really fair, Columbus was searching for India when he first discovered America so I doubt he even knew what he had stumbled upon

IIRC, he continuously insisted that he had reached the ("East", as we now know them as a result of him being wrong) Indies, in fact.

Consider my post a alley oop assist ;)

The video shows how this "discover parts of it" can be used together with simple queries to acquire profiles that likely share common friends with the target. Then it accumulates common friends with each of these. For the case of Zuckerberg, with a single start query ("People who like Spotify and Facebook Security and live in United Statesand work at Facebook") it produced 486 friends from Zuckerberg's friends list, a list he had marked as only viewable by his friends.

It might not be an exhaustive list, but it certainly shows a way to circumvent a protection most people think is in place, when they chose "only friends can see my friends list".

In other words, the title is far from "very misleading". This is what that vulnerability allows.

Yes, gathering publicly available data is definitely authorized.

On the other hand, publishing it could get you in trouble if you do it without the person's consent.

Source: armchair lawyer

Scraping facebook is against the TOS.

Terms of Service aren't law.

They practically are in the UK under misuse of computer act.

This: https://www.facebook.com/search/4/photos-of is also quite interesting. Did Zuck really want us to see this? https://www.facebook.com/photo.php?fbid=914230961663

Yes, it's a public photo. But seeing all tagged public photos in one place is a different thing. These photos are not shown when you click "Photos" on his Timeline: https://www.facebook.com/zuck/photos_all

That's interesting. For your friends, there is a "Photos of <friend>" item on their photos page, but for non-friends it doesn't show.

But OTOH, if you're tagged in a public photo, like this case, I'm not sure what expectation of privacy you should have. You can trivially untag yourself.

I just played with the graph search and that thing is creepy and powerful. It pains me that I'm drawn to such tools and I definitely need to stay away from that one.

Thanks for sharing this time suck!:)

Well all I discovered is I have 0 mutual friends with Mark Zuckerberg, so now I feel even less important than usual, lol.

You are important to somebody, Peter!

Group hug!

That and you should be happy you do not share "friends" with an antisocial network operator that has an active neglect of other people's privacy.

Take that, Zuck!

Once this exploit has a logo and a GUI then it becomes serious.

Reminds me of Firesheep. Simple side-jacking implemented as a Firefox extension with a real simple GUI. I recall that this prompted so many websites to migrate to HTTPS.

It wasn't just a GUI, it was even a browser extension.

I'm surprised there isn't a popular point-and-click Windows GUI for ARP spoofing yet. Something like driftnet but all sorts of data, and with automatic spoofing done.

There is, and I've used it yeaaaars ago. It's called Cain & Abel and you can find it at http://www.oxid.it/cain.html

It has a bunch more features, but with a few clicks you can arp spoof your entire network and start logging passwords.

I've used Cain & Abel before long, long ago. It's pretty close to what I'm talking about, but I was thinking more of something revamped to be pretty and user friendly even to someone who has no idea what ARP is or what "spoof" means.

And whenever you run it, it will be automatically deleted by your anti-virus. As a budding security researcher years ago, that was super irritating.

People need to know about it first because they start caring about it.

There are certain conditions to be met.

A - Friends Hidden. B - Friends Hidden. A and B are Friends. C - Not friends with A and B.

if C views mutual between A and B, C sees only the list of mutual friends between A and B whose friends lists are open.

i.e. if the list shows D and E.

D - Friends should be viewable to everyone. E - Friends should be viewable to everyone.

It is beyond me why Facebook would not consider this a privacy issue, if not a bug.

I just can't imagine they intended to allow strangers to view the mutual friends of anyone, so the person that responded to this bug report probably didn't understand it, or is clueless, because the way this feature should work is obvious.

Just allow to view the mutual friends between yourself and your friends.

Between yourself and anyone, I assume you meant. If not-your-fb-friends make their friends list public, I don't see why you shouldn't be able cross reference that.

Like I stated in a comment above:

The current behaviour allows you to uncover mutual friends between person A that has all connections hidden, and another person B that does not.

There's no way that I could know which specific friends of person B are also on the friendslist of person A just by looking at person Bs friendslist.

I also tested that "hack" with one of my friends that has all connections hidden. (I only see 1 mutual friend and no other friends)

The result was that I could see 38 mutual friends between him a the mutual friend I have with him.

And yes, that's what I meant. English is not my native language.

This is an issue - private friends should not have you as "public" friend in their friend list. It makes it not private.

With friendship, there are two people involved. One person can't demand the friendship be private if the other disagrees. If one person makes it public, it's public. It works that way in real life too.

"Tell you what, we both go to the same summer camp, so we can be camp friends. But if I see you at school, I won't admit that we are friends. If you try to bring it up, I'll deny it."

Facebook is always biased towards sharing information, instead of respecting privacy. They also apparently don't have the technical ability to keep private things private, as shown by the multiple leaks of Zuckerberg's information. When was the last time that Larry Page's gmail was hacked?

In any case, I disagree with your point. I think if either party makes the friendship private, it should be private.

Your example seems contrived. I didn't have friends as a kid, so I don't really know, but that seems like an unusual arrangement. At the very least, it requires you to do it explicitly.

Usually, in real life, if one person wants a friendship to be private while the other one wants it to be public, they don't stay friends for very long.

...but if I have a friendship with you that I want to remain private for some reason, and you make it public, you are going against my wishes, you are a bad person, and you shouldn't do that.

This can often result in injury or death to the person who typically has a good reason for keeping their relationship secret.

I have a friend who is dating two women, neither of which who knows about the existence of the other. If he was to tell each woman, please update your Facebook privacy settings to keep our friendship a secret, they would rightly be suspicious. If them finding out about each other results in injury or death to him, it's not Facebook's fault.

The problem here is Wittgenstein in nature - not some flaw in Facebooks security but a misunderstanding of the word "privacy".

Surely at some point we need to revisit the word "privacy". The expectation that one can keep secret our links to people when posting those links onto any "public" forum must surely be disabused in our brave new world - our expectations do not fit the economics of reality anymore.

>>misunderstanding of the word "privacy".

What? Facebook sold something as private but its not.

>> The expectation that one can keep secret our links to people when posting those links onto any "public" forum

Facebook told me it was private...

but privacy is not a "thing". it's not real, they can't sell it in the same way they can't tell you it's secure.

That's exactly why people are angry at Facebook for lying to them about privacy.

We changed the title because "Mark Zuckerberg's private friends list discovered" is shameless linkbait and added a question mark because the nature of this vulnerability is in dispute.

I saw the interface designer Mike Matas was in the list.

Mike Matas joined Facebook a few days ago (incorrect! see bottom), before that he founded Push Pop Press (digital publishing company). For some time he worked at Apple designing new interfaces (presumably iOS7) for iOS and MAC. He was also de founder of Delicious Monster, the makers of Delicious Library, which interface was later copied (inspired?) iBooks from Apple.

Being Mike one of the +400 friends of Zuck and also working at Facebook, I wonder if they where real-friends before being aqui-hired. Or maybe its Zuck adding him as facebook-friends a way of welcoming Mike to the company.

EDIT:PushPopPress was acquired by Facebook 3 years ago, not a few days ago. http://pushpoppress.com/about/

Mike Matas has been at Facebook for almost three years.

And now you see why Zuckerberg doesn't want people seeing his friends list. They'll make speculations and assume certain things without any strong evidence.

Of course, you'd think that'd encourage him to pressure devs to change this "feature"...

Interested to see an entry for the name "Boz" among the friends

Facebook employees don't have to follow the real names policy? https://www.facebook.com/help/292517374180078

> Nicknames can be used as a first or middle name if they're a variation of your real first or last name (like Bob instead of Robert)


But in that case, shouldn't he show up as Boz Bosworth?

In this case, it's Andrew "Boz" Bosworth.

Well it is a social network. THe social network, in fact. I would think if you care about privacy you just wouldn't use it.

Some might think this a glib response, but I've come to the conclusion that there is no way to use Facebook and keep perfect privacy. You have to allow other's to interact with you, and their privacy settings combine with yours for your mutual information. There's no way to keep 100% control of everything that concerns you.

If you want 100% control, Facebook is not for you.

Since Facebook says this is not a privacy violation, I totally expect Facebook to not condemn the author of this hack.

Yes. The author isn't seeing the ads this way and that's how the value proposition is created. So yeah, the author should deal with it and watch all the ads now...

If you give them your data, you should have little expectation of privacy. Privacy, otherwise known as "doing the kabuki dance of selling me to advertisers while making me feel like I am in control."

So don't use facebook.

I bet he wishes he used something a little more private right about now.

Privacy is obsolete, so I'm sure Mark has no problem with all his private lists being posted. Right?

I wonder how long it'll be before Google uses this to scrape Facebook's social graph...

How do I access that "Edit Privacy" dialog shown in the screenshot?

Go to https://www.facebook.com/me/friends, click on the pencil icon, select edit privacy.

Yes, it makes zero sense that this is the only privacy setting outside of the whole privacy tab in the account settings.

There are several things that aren't part of the privacy tab as I recall - the privacy settings for group membership and various other profile information are elsewehre thoo.

It's about time that facebook will take privacy seriously!

Misleading title, I don't see a list of Mark's friends. So it is still unexposed

Did you click on the link: https://www.facebook.com/zuck/friends?and=ChrisHughes

I can see 61 mutual friends, who are Mark's friends.

You clearly did not watch the POC video at the end of the post.

Where can i get the program ?


Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact