People have been writing about variations on the so-called "mutual friends vulnerability" for years and years now. Facebook's response has always been the same. You can control what people see on your own profile, but you cannot control what people see on your friends' profiles. Just as if you write on your friend's wall, revealing the fact that you are friends with that person, simply being friends with that person will also reveal to people who can see that friend's profile that the two of you are connected. The name of the setting is "Who can see my friend list", not "Who can see me on my friends' friend list", nor is it "Conceal all links to my profile from my friends' profiles."
It does reveal to the person you have mutual friends with, who those mutual friends are, but I just can't see an obvious reason why this additional information should be broadcasted to everyone, even persons that are strangers to you and the person you share part of your friendslist with.
Edit: To clarify my standpoint I tested this on a friend of mine (person A), that hides his friendslist from everyone but his closest friends.
It just happens that I also befriended the persons best friend (person B), and therefore I tried to get the mutual friends between person A and B. What I received were 38 mutual friends, even though I can only see one mutual friend between myself person A.
That is clearly information that person A didn't intend to share with me, therefore there has to be a bug or stupidity on Facebooks side involved to uncover this information to me.
Even from the example link the post gives, I am neither friends with Mark Zuckerberg (who has a private list) nor Chris Hughes (who has a public friends list). In this instance I have not had to befriend anyone!
And given that FB has a history of just changing the default security for things without telling anyone, or making the defaults fully open/public, this is a little worrying!
It seems like this could be pretty easily fixed by just not allowing arbitrary usernames in the "and" parameter and instead using the currently logged in user.
It wouldn't fix everything, but it would mean you at least need to befriend someone in their network before being able to use this attack.
The goal of Facebook for users is building a social network and on the corporate side leveraging that social network for monetary gains. Mutual friends lowers the barrier to connecting the social graph.
What I have a problem with is that they gave users a tool to manage and hide certain connections, even though anyone could potentially circumvent that.
My position is that the service should work as expected.
Either you give your users the means to hide connections, and consequently prevent hacks like this, or you remove that feature and every user will know that this information is public to all your friends.
Everything in between is just wrong, because it breaks your users expectations, you've got to be clear about what your service does.
Also, I want to be clear that I don't think that Facebook is intentionally doing something evil, it's just a big corporation with lots of different people making decisions. That could happen anywhere.
The name of the setting is "Who can see my friends list?" not "Who can reconstruct my friends list from bits and pieces of other people's information?" With this exceptionally broad interpretation of Facebook's promises, it seems like even if they killed the ability to do this, the fact that somebody can just sit down at a computer that's logged in as you and see your friends list also makes them just as much liars.
The title seems very misleading, his friends list hasn't actually been discovered, but rather a method that could discover parts of it.
Question for the arm chair lawyers: If he published said friends list could the FB denial of a vulnerability be construed as evidence that he didn't hack them as the functionality is intended and authorized?
HN, 1492. Christopher Columbus discovers America.
HN user comment : pretty misleading title, large parts of America are most probably not discovered yet.
Joke aside, I've seen far worse titles than this one.
The video shows how this "discover parts of it" can be used together with simple queries to acquire profiles that likely share common friends with the target. Then it accumulates common friends with each of these. For the case of Zuckerberg, with a single start query ("People who like Spotify and Facebook Security and live in United Statesand work at Facebook") it produced 486 friends from Zuckerberg's friends list, a list he had marked as only viewable by his friends.
It might not be an exhaustive list, but it certainly shows a way to circumvent a protection most people think is in place, when they chose "only friends can see my friends list".
In other words, the title is far from "very misleading". This is what that vulnerability allows.
Yes, it's a public photo. But seeing all tagged public photos in one place is a different thing. These photos are not shown when you click "Photos" on his Timeline: https://www.facebook.com/zuck/photos_all
That's interesting. For your friends, there is a "Photos of <friend>" item on their photos page, but for non-friends it doesn't show.
But OTOH, if you're tagged in a public photo, like this case, I'm not sure what expectation of privacy you should have. You can trivially untag yourself.
I just played with the graph search and that thing is creepy and powerful. It pains me that I'm drawn to such tools and I definitely need to stay away from that one.
Reminds me of Firesheep. Simple side-jacking implemented as a Firefox extension with a real simple GUI. I recall that this prompted so many websites to migrate to HTTPS.
It wasn't just a GUI, it was even a browser extension.
I'm surprised there isn't a popular point-and-click Windows GUI for ARP spoofing yet. Something like driftnet but all sorts of data, and with automatic spoofing done.
I've used Cain & Abel before long, long ago. It's pretty close to what I'm talking about, but I was thinking more of something revamped to be pretty and user friendly even to someone who has no idea what ARP is or what "spoof" means.
It is beyond me why Facebook would not consider this a privacy issue, if not a bug.
I just can't imagine they intended to allow strangers to view the mutual friends of anyone, so the person that responded to this bug report probably didn't understand it, or is clueless, because the way this feature should work is obvious.
Just allow to view the mutual friends between yourself and your friends.
Between yourself and anyone, I assume you meant. If not-your-fb-friends make their friends list public, I don't see why you shouldn't be able cross reference that.
With friendship, there are two people involved. One person can't demand the friendship be private if the other disagrees. If one person makes it public, it's public. It works that way in real life too.
"Tell you what, we both go to the same summer camp, so we can be camp friends. But if I see you at school, I won't admit that we are friends. If you try to bring it up, I'll deny it."
Facebook is always biased towards sharing information, instead of respecting privacy. They also apparently don't have the technical ability to keep private things private, as shown by the multiple leaks of Zuckerberg's information. When was the last time that Larry Page's gmail was hacked?
In any case, I disagree with your point. I think if either party makes the friendship private, it should be private.
Your example seems contrived. I didn't have friends as a kid, so I don't really know, but that seems like an unusual arrangement. At the very least, it requires you to do it explicitly.
Usually, in real life, if one person wants a friendship to be private while the other one wants it to be public, they don't stay friends for very long.
...but if I have a friendship with you that I want to remain private for some reason, and you make it public, you are going against my wishes, you are a bad person, and you shouldn't do that.
This can often result in injury or death to the person who typically has a good reason for keeping their relationship secret.
I have a friend who is dating two women, neither of which who knows about the existence of the other. If he was to tell each woman, please update your Facebook privacy settings to keep our friendship a secret, they would rightly be suspicious. If them finding out about each other results in injury or death to him, it's not Facebook's fault.
The problem here is Wittgenstein in nature - not some flaw in Facebooks security but a misunderstanding of the word "privacy".
Surely at some point we need to revisit the word "privacy". The expectation that one can keep secret our links to people when posting those links onto any "public" forum must surely be disabused in our brave new world - our expectations do not fit the economics of reality anymore.
We changed the title because "Mark Zuckerberg's private friends list discovered" is shameless linkbait and added a question mark because the nature of this vulnerability is in dispute.
I saw the interface designer Mike Matas was in the list.
Mike Matas joined Facebook a few days ago (incorrect! see bottom), before that he founded Push Pop Press (digital publishing company). For some time he worked at Apple designing new interfaces (presumably iOS7) for iOS and MAC. He was also de founder of Delicious Monster, the makers of Delicious Library, which interface was later copied (inspired?) iBooks from Apple.
Being Mike one of the +400 friends of Zuck and also working at Facebook, I wonder if they where real-friends before being aqui-hired. Or maybe its Zuck adding him as facebook-friends a way of welcoming Mike to the company.
And now you see why Zuckerberg doesn't want people seeing his friends list. They'll make speculations and assume certain things without any strong evidence.
Of course, you'd think that'd encourage him to pressure devs to change this "feature"...
Some might think this a glib response, but I've come to the conclusion that there is no way to use Facebook and keep perfect privacy. You have to allow other's to interact with you, and their privacy settings combine with yours for your mutual information. There's no way to keep 100% control of everything that concerns you.
If you want 100% control, Facebook is not for you.
Yes. The author isn't seeing the ads this way and that's how the value proposition is created. So yeah, the author should deal with it and watch all the ads now...
If you give them your data, you should have little expectation of privacy. Privacy, otherwise known as "doing the kabuki dance of selling me to advertisers while making me feel like I am in control."
There are several things that aren't part of the privacy tab as I recall - the privacy settings for group membership and various other profile information are elsewehre thoo.
