Steve O’Hear writes:
You’ve got to hand it to Facebook. They certainly know how to do security — not.
Today I was tipped off that there is a major security flaw in the social networking site that, with just a few mouse clicks, enables any user to view the live chats of their ‘friends’. Using what sounds like a simple trick, a user can also access their friends’ latest pending friend-requests and which friends they share in common. That’s a lot of potentially sensitive information.
[…]
The irony is that the exploit is enabled by they way that Facebook lets you preview your own privacy settings. In other words, a privacy feature contains a flaw that lets others view private information if they are aware of the exploit.
Read more on TechCrunch, where Steve posted the following video showing the exploit in action:
Hat-tip, Rick Forno, who notes that FB chat has been unavailable all morning..
Update: Steve got a response from Facebook hours later that said, in part:
For a limited period of time, a bug permitted some users’ chat messages and pending friend requests to be made visible to their friends by manipulating the ‘preview my profile’ feature of Facebook privacy settings,” Facebook said in a statement.
How limited was the period of time, Facebook? And maybe, as the journalists’ group in the UK asked, you might do a better job of testing things before you release them?