This Hack Allegedly Lets You Figure Out People's Private Friends Lists On Facebook

Advertisement

mark zuckerberg, facebook, getty

Justin Sullivan / Getty Images

Even if a Facebook user sets their friends list to private, other users may still be able to see part of that list.

Advertisement

Shay Priel of The CyberInt Group, which focuses on information security and cyber warfare, recently revealed the hack in a blog post. He also reported the hack directly to Facebook.

The gist of the issue is that even if you set your personal friends list to be private, that doesn't exclude your friendship from showing up on your friend's newsfeed, on a list of mutual friends, or as Facebook puts it in a reminder in its settings, "If people can see your friendship on another timeline, they'll be able to see it in news feed, search and other places on Facebook."

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Facebook friends list privacy

Facebook

So if you're friends with Sally, and I'm friends with Sally, when you go to my profile, you will see that Sally is a mutual friend, even if my friends list is private.

Advertisement

Priel claims that using Facebook Graph Search you can tap into this Mutual Friends list even without being friends with either user. So if you go to https://www.facebook.com/zuck/friends?and=ChrisHughes, you will see a list of Mark Zuckerberg and Chris Hughes' mutual friends, even if you aren't friends with either user, and despite the fact that Zuckerberg's friends list is private (Hughes' list is public, which is why this works).

Facebook mutual friends

Facebook

You can reconstruct this hack yourself by looking through Facebook Graph Search for potential friends of a user with a private friends list. So for Zuckerberg, you could search "People that work at Facebook and live in the United States," which would produce Chris Hughes as a result. You then plug in the likely friend with a public friends list into the the Mutual Friends URL.

Priel even wrote up some code to automate this process to show how large a loophole this could be. You can download the code from Github at https://github.com/prili/fb-hfc.

When Priel reported this flaw to Facebook, they responded:

Advertisement
We do not consider this to be a privacy issue. We include this explanation alongside the friend list visibility setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in News Feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline.

So unless you make sure to only be friends with Facebook users that keep their friend list private, there may not really be such a thing as a "private friend list."