Facebook loophole left private chats exposed


Facebook had to take its chat system offline yesterday to fix a bug that left private conversations visible to other users.

The glitch, first reported in a video post yesterday by technology blog TechCrunch, saw any user able to view the live chats of any of their friends, along with their pending friend requests, using the Preview my Profile tool.

The feature is aimed at providing a view of how your profile looks to your contacts. But with many users having sub-divided their main list of friends into smaller groups each with different levels of access, the tool asks you to enter a specific contact's name to see just how your profile will look specifically to them and others with the same level of access.

However, as demonstrated by TechCrunch, the tool instead showed a glimpse from inside that person's profile, including any live chat conversations going on, while your own list of pending friend requests was replaced by the other user's list instead.

"For a limited period of time, a bug permitted some users' chat messages and pending friend requests to be made visible to their friends by manipulating the 'preview my profile' feature of Facebook privacy settings," Facebook confirmed in a statement.

"When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests, which is now complete. Chat will be turned back on across the site shortly."

The statement added: "We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented."

The chat tool is now back online, with Facebook having apologised to its 400 million users in a brief post on its fan page which was promptly "liked" by 5,000 users. It hasn't revealed how many users were affected, or for how long the glitch was active.

The issue comes at a particularly inconvenient time for Facebook, coinciding with 15 privacy groups coming together to submit a complaint against the social network to the Federal Trade Commission (FTC) yesterday.

Marc Rotenberg, who runs the Electronic Privacy Information Centre one of the groups represented said that recent changes at Facebook "violate user expectations, diminish user privacy, and contradict Facebook's own representations".

The filing urges the FTC to investigate Facebook's privacy measures and force it to step up its safeguards against security breaches.