Facebook security flaw lets you see friends' chats

This morning, TechCrunch has pointed out a shocking security flaw in Facebook that allows users to see the live chats of any of their friends. The discovery furthers the concern that Facebook's security is not yet where it needs to be.

The problem occurs within an actual security feature of Facebook. There is an option in privacy settings, under personal information and posts, that allows you to preview your profile as it would look to one of your Facebook friends. You are then able to select one of you friends and view it, literally, from their eyes.

The feature works so well, that if your friend happens to be live chatting at the time, you will see their conversations in action. Steve O'Hear posted the video below, showcasing the problem. For now, it seems that Facebook has turned chat off "for maintenance," though they have yet to make a public statement regarding the problem.

Update: A Facebook spokesperson confirmed to Neowin that Facebook chat is offline due to the bug. "Chat is unavailable as we work quickly to fix a bug reported to us. It should return to normal soon. Because of the bug, people could view friends’ chat messages and friend requests for a limited amount of time if they manipulated the 'preview my profile' feature in a specific way. We’ve fixed that issue and took down Chat as soon as we became aware of it. We apologize for the inconvenience."

Report a problem with article
Previous Story

New iPhone OS 4.0 beta 3 features discovered

Next Story

Microsoft releases IE 9 preview #2 for download

42 Comments

Commenting is disabled on this article.

Do the trick with somebody new on Facebook, i mean, a person whith no complette profile

You see this msg "Tell us about yourself. Begin editing your profile below."

Let's see what we can discovery

Strange...I was talking to people and did the preview thing. However, I didn't get any of their message notifications or chats. This must mean it was put in recently, since I did it a few weeks back.

It shouldn't even be hard to get around that. Just make up a "fake" profile that has the settings that goes with the privacy settings put forth. Why would they even implement something that LITERALLY uses someone else's account...horrible design. WAIT I KNOW WHY, they are lazy and that's what I call a "hack".

Zedox said,
It shouldn't even be hard to get around that. Just make up a "fake" profile that has the settings that goes with the privacy settings put forth. Why would they even implement something that LITERALLY uses someone else's account...horrible design. WAIT I KNOW WHY, they are lazy and that's what I call a "hack".

I hear you

Menthix said,
Just considered closing my Facebook account, but I already never trusted them to post anything I wouldn't mind being public and stored forever.

Also interesting read: Six Things You Need to Know About Facebook Connections http://www.eff.org/deeplinks/2...ou-need-know-about-facebook


Yeah, which is why I don't go through with it (if you don't OK it, your old Info page is still intact) and in any case you can use the "Extended Info" app to put the same (and more) info on your Profile anyway, without the stupid "Connections" thing.

Wow, I've used that 'see your profile through someone else's eyes' thing before, like over a month ago, I wonder if this has been an issue the whole time...

I do know that yesterday or the day before, they changed the HTML code for the chat. (I use Stylish to slightly change how my Facebook looks, and it quit working.) I would imagine this is because they updated the back-end as well, so that was most likely when this flaw was created.

SaltLife said,
That looks like something that should have been caught in QA testing prior to production release.....

That wouldn't of been so easy to catch. They can't find everything. The good thing is that they took appropriate action and prevent further misuse while they work to fix it.

shinji257 said,

That wouldn't of been so easy to catch. They can't find everything. The good thing is that they took appropriate action and prevent further misuse while they work to fix it.

You're kidding, right? This would have been a pretty easy thing to recognize and fix during testing...if it had been done properly. FB is quickly approaching the $1 billion revenue point. There's no reason for something like this.

shinji257 said,

That wouldn't of been so easy to catch. They can't find everything. The good thing is that they took appropriate action and prevent further misuse while they work to fix it.


Wouldn't have *rolleyes*

Andrijan Apostoloski said,
They closed down the chat. They work fast, for sure.

Damn. I just got on there to see if it would work too, haha.

Andrijan Apostoloski said,
They closed down the chat. They work fast, for sure.

I wouldn't call it fast. No more facebook fun. lol