A new hole in Facebook allows members to see the fan pages of people on the networking site who they aren't friends with, an outside researcher revealed on Friday.
In verifying the hole, CNET News--signing onto the site as someone who is not a designated "friend" of Facebook founder Mark Zuckerberg--was still able to see that he is a fan of Barack Obama, the Dalai Lama, Green Day, Nirvana, Central Park, the Monterey Bay Aquarium, and Apple Students.
All a would-be spy has to do is go to anyone's profile page, click on the "Info" tab and hover the mouse over the "see all" hot link at the top right of the list of fan pages. The URL for the fan pages appears at the bottom of the Web page and can be cut and pasted into a new window. Replacing the serial number of the user in the URL with the serial number of a target user (which anyone can find) will then take you to that user's fan page.
"It's a simple logic error," said Byron Ng, a Vancouver, Canada-based computer technician whose hobby is researching holes in social networks and other sites.
A Facebook spokesman said the company would look into the bug.
"By becoming a fan of a page, users have chosen to publicly affiliate themselves with the brand, band, cause, or figure represented by the page," the spokesman said in a statement via e-mail. "We're concerned with any behavior that users may not anticipate, even when it involves public information, and we are currently evaluating this bug."
For instance, Zuckerberg is publicly listed among the fans of the Barack Obama page, but someone would normally have to look for him on all the fan pages on the site in order to compile comprehensive list like the one displayed on his profile page.
Earlier this week Facebook fixed a vulnerability that allowed people to see the photos of Facebook members they weren't friends with through the mobile site.