Monday, January 18, 2010
Are Facebook Private Items Private? Not Really
One of the big security stories of last month was that Facebook changed their privacy tools to give users more control.
One of the main changes was that users could, when posting an item, use granular control over who could see it, down to the point of specifying users who can and can't. Click the nearby image for a full-size example of the Custom Privacy dialog box.
But now F-Secure shows that private items are, at least in some cases, public.
I followed their example and created an image and set custom privacy, in the settings shown above, to "Only Me". The meaning is unambiguous: Nobody should be able to see this but me.
But go back to your wall and click on the time you created the image (such as "5 minutes ago") and you see this: (pic 02)
See the circled part? That's a publicly accessible URL through which anyone, even a non-Facebook member, can view the image. Take a look here: (pic 03)
I tried this with videos, events and links, and it didn't do the same thing, so perhaps this is a bug only in pictures. So thanks to F-Secure and good eye guys; I don't think Facebook privacy is completely phony, but this is definitely a bug in it.