Earlier this evening we came across a privacy flaw on Facebook that allowed users to gain access to portions of their friends’ profiles that they should not have been able to see. We contacted Facebook about the issue over an hour ago (it remains unresolved), and they have asked us to refrain from going into too much detail as to how to reproduce it until it is fixed.
Update: Facebook has fixed the issue as of Saturday morning. The procedure for exploiting the bug was quite straightforward. Users simply had to deactivate their accounts under their Facebook settings, then immediately reactivate their account by logging back into Facebook (a process that took maybe thirty seconds). This apparently broke some privacy settings, as these users would then be able to see some of their friends’ profile information that they should not have had access to.
Facebook has responded with the following comment:
“While the scenario for the bug to work was a rare use case in the account reactivation process, we’re always concerned with any potential breach of user privacy. We worked quickly to address the reported bug and it was resolved within a few hours late last night.”
Facebook is well known for its granular privacy settings, allowing users to selectively choose which of their friends have access to their photos, videos, and ‘Walls’. As the social network has grown beyond schools to include many users’ employers and family members, these privacy controls have become even more essential. Users often create “Friends Lists”, segregating friends who they don’t want seeing their most personal content into lists with limited viewing rights.
The new bug allowed users to temporarily bypass these Limited Friends Lists, instead displaying profiles in their entirety, including photos and wall posts. Given the personal and often unprofessional nature of some photos and messages shared on Facebook, this was a potentially damaging security lapse.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
It’s unclear how long the bug lasts – I found that refreshing a friends’ profile once or twice seemed to correct the issue and display only the information I was supposed to be seeing. But even if the bug only works temporarily, it’s easy enough to perform repeatedly that users could potentially view multiple profiles without much effort.
This isn’t the first privacy bug to affect Facebook – users have previously been able to access private photos and view private profile information in search results.
The error also serves as yet another blemish on the privacy controls of web-based services. Only two weeks ago, Google Docs revealed that it had inadvertently shared thousands of documents with users who should not have had access to them.
Tand responded with the following statement:
Thanks to Anjool for the tip.
