You’ve got to hand it to Facebook. They certainly know how to do security — not.
Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.
Unbelievable I thought, until I just tested the exploit for myself.
And guess what? It works.
The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.
I know Facebook wants us to share more information and open up, but I’m not sure that this is quite what they had in mind.
Because this has major implications for user privacy we’ve informed Facebook about this exploit.
http://eu.techcrunch.com/2010/05/05/vid ... ive-chats/