Christopher Soghoian, whose name you may remember from that huge boarding pass terror freakout last year, has discovered that Facebook’s advanced search features can provide you with access to users’ names, pictures, religion, or sexual orientation, even if you don’t have permission to view their profile.
Ryan Singel at Wired News’ “Threat Level” blog explains what Soghoian found, and how:
Like many social networks, Facebook allows its users to mark their profile page as private, semi-private or very open However, even if you mark your profile to only be visible by friends, that doesn’t change how you turn up in Facebook searches or whether your profile is open to indexing by search engines.
So for instance, if you are a Facebook member of your college or local area, you could run a search to see all the people who are Christian women who are lesbians, all the women interested in women or all the Muslim men into other men. Your search results will likely include people who thought they marked their information as private, but didn’t also change their search settings.
It’s not as if Facebook doesn’t give you the right to limit who can see your page, but common sense dictates that the vast majority of people who mark their pages as private don’t want their information showing up in a public search. Some might, but here Facebook could automatically remove “friends-only” users from search results, and let those who don’t mind be found via searches yet want a private profile choose that option. Link, and here’s the story on Soghoian’s own blog: Link.
Update: Facebook spokesperson Matt Hicks tells BoingBoing the issue was promptly resolved:
Facebook offers sophisticated search and privacy controls and is constantly making improvements based on feedback from our users. We have since updated the advanced search function so that profile information that has been made private by a user, such as gender, religion, and sexual orientation, will not return a result.
Chris Soghoian responds,
Within a few hours of your post appearing on Boing Boing, Facebook’s engineers had rushed out a fix to the problem. One of Facebook’s PR people left a comment on my blog to let me know.
This is a big win for privacy, and it’s great to see that Facebook continues to take user privacy seriously.
Unfortunately, they don’t seem to be too concerned about the security of their users home computers – as a fairly serious software vulnerability I reported to them over 2 months ago remains unfixed – the same issue that Google and Yahoo fixed within days. Link.