Hole unveils Facebook fan pages

A new hole in Facebook allows members to see the fan pages of people on the networking site who they aren't friends with, an outside researcher revealed on Friday.

In verifying the hole, CNET News--signing onto the site as someone who is not a designated "friend" of Facebook founder Mark Zuckerberg--was still able to see that he is a fan of Barack Obama, the Dalai Lama, Green Day, Nirvana, Central Park, the Monterey Bay Aquarium, and Apple Students.

All a would-be spy has to do is go to anyone's profile page, click on the "Info" tab and hover the mouse over the "see all" hot link at the top right of the list of fan pages. The URL for the fan pages appears at the bottom of the Web page and can be cut and pasted into a new window. Replacing the serial number of the user in the URL with the serial number of a target user (which anyone can find) will then take you to that user's fan page.

"It's a simple logic error," said Byron Ng, a Vancouver, Canada-based computer technician whose hobby is researching holes in social networks and other sites.

A Facebook spokesman said the company would look into the bug.

"By becoming a fan of a page, users have chosen to publicly affiliate themselves with the brand, band, cause, or figure represented by the page," the spokesman said in a statement via e-mail. "We're concerned with any behavior that users may not anticipate, even when it involves public information, and we are currently evaluating this bug."

For instance, Zuckerberg is publicly listed among the fans of the Barack Obama page, but someone would normally have to look for him on all the fan pages on the site in order to compile comprehensive list like the one displayed on his profile page.

Testing a new vulnerability, CNET News was able to see this private page showing the entire list of restaurants, politicians, and musicians that Facebook founder Mark Zuckerberg is a fan of.

(Credit: Facebook)

Earlier this week Facebook fixed a vulnerability that allowed people to see the photos of Facebook members they weren't friends with through the mobile site.

[ronjay]

Oh wow. Nobody really cares! Now I understand why C|Net gets so much criticism about the things they post as "news".

[timber2005]

Argh... I wish some days that Facebook would go back TWO versions...
Schools only, no fan pages, no applications, no chat.

[xtrasico]

Agreed! I dumped my Facebook account exactly because of that. Now it has SO MANY appz that you can't navigate easily on a friend's page.

On the other hand, right now I am investigating some illegal transactions made on a PC, and I know the user is going to wish there was no chat on Facebook. I got the logs because every message is stored as a web page. ;) Some people are just dumb.

[M C]

Yeah CNet! Digging for the important stories! What's next - "Telling friends your password can result in them logging on to your account"? I'm sure you can find a few publicity-hungry security "experts" that will offer up free quotes for that...

[phigma]

wow, terrible article. These aren't loopholes or vulnerabilities, these are very logical features.