Hacker claims he located ‘scary’ privacy issue on Facebook

Skull security alleges https://www.facebook.com/directory is problematic because it provides a list of every searchable user on all of Facebook. The group indexed the data and stored all of the names in a file.


“I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook,” Ron Bowes wrote on the group’s security blog.


Facebook said the directory is similar to white pages.


"This is the information available to enable people to find each other, which is the reason people join Facebook," the company said. "If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications."


Bowes alleges the problem is that Facebook tells users that anyone can opt out of appearing in searches by changing their privacy settings. But Bowe’s list, which he already made public, will allow users’ profiles to be located even if they opted out of search.


“Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details,” he said, even if they subsequently remove themselves from the directory.
Even if the user has set their privacy higher, “at the very least I can view their name and picture.”


Bowes posted his project online so that anyone can download the list of 171 million people in the directory.


His justification for posting it: “It occurred to me that this is public information that Facebook puts out, I’m assuming for search engines or whatever, and that it wouldn’t be right for me to keep it private.”
Facebook was on the Hill for the second day in a row on Wednesday to talk about online privacy, this time before the House Judiciary Crime Subcommittee.

The witness is the company’s chief security officer Joe Sullivan, a former federal prosecutor and founding member of the Justice Department’s computer hacking unit.

Here is Facebook's full statement on Bowe's claims:

People who use Facebook own their information and have the right to share only what they want, with whom they want, and when they want. Our responsibility is to respect their wishes.  In this case, information that people have agreed to make public was collected by a single researcher.  This information already exists in Google, Bing, other search engines, as well as on Facebook.  No private data is available or has been compromised. Similar to the white pages of the phone book, this is the information available to enable people to find each other, which is the reason people join Facebook. If someone does not want to be found, we also offer a number of controls to enable people not to appear in search on Facebook, in search engines, or share any information with applications.


Updated at 1:14 p.m. to include a response from Facebook.