Facebakers.com unveiled a new profile security problem on Facebook. Check it out!
Updated (12/01/2009): This security problem seems to be fixed now. Thanks Facebook for the quick reaction!
Facebook has a security problem with profiles, where basically following simple instructions you can post on anyones profile out there. How can it be? Read on and you will see.
While adding the reply feature (like Twitter has using @), Facebook has implemented something where you can basically tag a friend in a post like you could previously in a picture.
Then later on, Facebook updated the “Friends” section so that you can see friends who are pending confirmation. But probably without noticing the integrity, Facebook implemented this also in the reply feature and in the mentions. Which means you could mention your non-friends with pending friend requests.
Using that, you are able to get a post to anyones profile on Facebook, if he has a pending friend request. Now you can’t do it from your profile, but will need a Facebook Page for that – using a Facebook page, you can then post this to anyones profile. See the information below on how we did that.
This of course can be very easily used to target spam messages on users profile – and it’s not that hard.
Obviously we are a small company for Facebook – a team of Facebook application developers in Prague, so it is very hard for us to get the message out. Nobody in the key media portals seemed interested in the message… So to make sure it gets out there, we will flag a few journalists and send them to this article.
Of course, its not a major security issue – you can always remove the tag in the post. But imagine this was done by thousands of people to millions, it would be pretty annoying to remove tags every time you go on Facebook.
Lets take for example one of the writers from the best new technology site – Mashable -. Barb Bybad. Barb has a closed profile, so nobody can see it.
So basically, if you would try to mention Barb in one of your post, nothing would show up…
But, if you add Barb to your friends, of course – when he confirms, you should normally be able to mention him in your post or page posts.
Now here is the glitch! While having a pending friend request with Barb, I can mention him in the posts. That doesn’t help me normally from my profile (worked till a few weeks back), but if I use a page to do this, you can basically send a message to a profile of anyone in the world who you can send a request to.
We’ve tried Mark Zuckerberg‘s profile too, but he had a closed one on Facebook, and you can’t send him a friend request… Too bad…
This is how the end result looks:
Socialbakers is the trusted social media management partner to thousands of enterprise brands and SMBs. Leveraging the largest social media data-set in the industry, Socialbakers’ AI-powered social media marketing suite helps brands large and small ensure their investment in social media is delivering measurable business outcomes.