The “flaw” was discovered by Irene Abezgauz, vice president of product management at security software company Quotium. She noticed that despite having set privacy settings to hide the list of her Facebook friends from everybody, anyone who created an account and sent her a friend request could peruse said list as it’s shown via the “People You May Know” feature.
The feature also has the option “Show All” if the initial list is not helpful enough. In the end, it doesn’t matter if the user accepts the friend request or not - the potential attacker has garnered knowledge of the people the target associates with.
Social engineers looking for ways to get to know sensitive information about potential targets, but whose friend request hasn’t been accepted, can now try their luck with the target's friends. Once they have built a respectable amount of mutual friends, they might get direct access to the target who will finally decide to “friend” them.
Stalkers could be another problem. Let’s say you’re the victim of one, but you still want to use Facebook to keep in touch with your friends and family. You’ve been cautious enough to delete the account with your real name and set up a new one with a fake one, and you have “friended” a small number of people who you are close to.
They know your situation and have agreed to change their settings so that their friends list is visible only to them, lest the stalker deduces your real identity and begins to try to find a way to get you to accept a friend request (from a fake account name, obviously) in order to continue abusing you online.
Unfortunately, the privacy setting offers no real protection, as this “flaw” shows the list anyway.
“As part of the research for this vulnerability we wanted to verify the exact conditions under which this was possible,” shared Abezgauz. “The friends chosen for the victim were users who also had their friends list set to private. In addition, no interactions took place between the users except for the sending of friend requests.”
The result was the same - the list was visible.
Abezgauz and her team of researchers contacted Facebook to point out the flaw, but the social network responded by saying that ”if you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list.”
But, if you chose that no one should see your friend list (Activity Log > Friends > Who can see your friend list? > Only Me), even this partial list is a violation of your chosen privacy controls, says Abezgauz.