It looks like there's yet another little bug that compromises the privacy of Facebook users - all 500 million of them - and it doesn't matter how a user has set the account's privacy settings.
The bug can be found in the error page that comes when a user attempts to sign in but types in the wrong password. The system automatically populates the error page with that user's first and last names, along with the profile picture, and gives the user the chance to re-enter the password.
Now, that's kind of helpful - not can't-live-without-it helpful - but still a nice feature for the user. But what if you type in someone else's e-mail address with the wrong password? Yup, you guessed it: full name and a profile pic for that person.
And to make matters worse, it doesn't even have to be the e-mail address that the person used to register his account. If that address is listed anywhere in the user's profile, it will pop up with the full name and picture. Check out the image of my own error page. My work e-mail address is not the address that I use to sign in to my account but it is listed in my profile.
OK, how big of a deal is this? Well, Atul Agarwal, who exposed this bug on the Secfence Technologies' Full-disclosure blog this week, wrote a PHP script that works with large lists of email addresses to harvest the data. Agarwal wrote:
Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies.
And, no, this isn't some sort of cache thing that populates the field because you've used that particular address before. I went into my own personal contacts list and pulled up the email address of someone random who I knew I was not Facebook friends with. It worked perfectly.
Facebook has worked hard to address privacy concerns and it have no doubt that the company will be closing this loophole soon. But, as the company has taken a beating over its efforts - or lack of - to curb privacy abuse, I can't wonder whether this is just a loophole that the company missed or if it's simply taking a reactive stance when it comes to privacy issues - that is, just wait until someone exposes something and then fix it.
What I'd like to see is Facebook taking some proactive steps to scour the site and look for any and every possible loophone that could compromise privacy - and then close it.