Well here we go again. Yet another Facebook vulnerability, this time your private list of friends can become visible to the general public. Irene Abezgauz of Quotium research found the vulnerability and here’s a portion of here report.
Irene Abezgauz from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.
With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on Facebook to maintain their privacy to the best of Facebook’s ability.
Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed.
To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience. The people suggested at this point are the friends of the attacked user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.
How many more privacy and security concerns will Facebook have to have for users to demand a bit more proactive prevention from them? I encourage you to hit the source links below for more, including Facebook’s response.