A bug in Facebook's friend list

Last updated: 2020-02-23

A few years ago I found an information disclosure bug in Facebook's friend list. At the time I made an alt account, just to follow my real one. Facebook policies aside, doing so allowed me to find out about an issue.

On my real account, my friend list is set to be visible only by myself, since some of these contacts might be considered sensitive information. I see no reason to let anyone else know that list either. But eventually I started to get emails about friend suggestions in said alt's mailbox. All of them matched my friend list.

Of course I reported this issue to Facebook straight away, since this is an information disclosure vulnerability. The list is set to be visible only to the account owner while following can be done by anyone, i.e. this is of a public scope.

Sometime between 2017 and 2018 I reported this bug, however Facebook never responded to this. I'd have to check (and invite you to do the same, though do consider that Facebook allows you to only have 1 account with real credentials) but I think it might very well still be there. I honestly just never bothered making it public.

Needless to say, the exploitation hereof has consequences. I'm no stranger to Facebook hacking myths but account recovery does have an option to use your friend list by identifying their pictures. This means that it'd be possible to recover an account that doesn't belong that person, if only you were to befriend enough of them (or just reverse search their pictures if they're public). Or even just make an educated guess based on their profile pictures (or any public picture of said people). After that, fair game really. It's not very hard to exploit that.

I still consider this an issue, and would hope that Facebook does (or did without accreditation) something about it. An account that other than following another user has no connection with them should not be able to extract their friend list, especially when settings have been set to not allow them to. Then again Facebook is more or less a privacy nightmare in general. Cambridge Analytica was the already crippled API that's been abused, and the senators were poor at their interrogation. No stranger to that at all. But when actual issues are found, I expect a company with a bug hunter program to heed them. Facebook hasn't done that. Personally I don't consider using Facebook any more private than using a public forum does, and this really doesn't help with that.

What do bug hunter programs even exist for at the end of the day?