Think your Facebook Status Updates are only viewable to your own circle of Facebook friends? Think again. I, along with Drew Benvie, have just discovered a security flaw in the status update system. Drew and I are friends on Facebook which means I get to see his status updates when I log into Facebook and, likewise, he gets to see mine. Which is fine. However, everyone who is a member of Facebook has an RSS feed for their friends’ status updates meaning they can add it to an RSS reader if they choose to.
Drew happens to read his friends’ status updates from his Bloglines account. And here’s the flaw. If you run a search for my name in Bloglines you’ll see my latest Facebook status update coming from Drew’s subscription and available for all to see.
I initially thought that Drew must have had his Bloglines feed settings on ‘public’ but he’s just clarified they are indeed set to private. Being set at private you would think only Drew would be able to see them. Wrong. But not only can I see my own status updates I can see all of Drew’s friends too.
This is a fairly serious security flaw me thinks and I don’t think it’s Bloglines at fault here. Wonder if I throw a few links to the Bloglines blog and Facebook blog they might see it.
I bet Drew isn’t the only person subscribed to his friends’ status updates in Bloglines either.
Stephen is a communications consultant based out of the UK. You can connect with him on Twitter or check out his LinkedIn profile. | Email Stephen
Stumble it
Digg it
Deli.icio.us
Tweet this
Karel Mc Intosh
Hmmm… This is something to think about, especially since status updates are where people get really witty and wild when they’re ready.
Stephen
Yep, I write absolute nonsense sometimes.
Milton HIcks
You two are intent on bringing Facebook down. But what will we do with our days once it’s dead?
(And it’s ‘flaw’.:-))
Stephen
What a doofus! Blame the excitment of finding something ‘flawed’ in FB that caused the slight, ahem, typo. I have it correct in the blog post though…
Ta.
Bugger, I thought I was clever and submitted it to Digg… as ‘floor’.
“But what will we do with our days once it’s dead?”
I would usually have said that I’d get my life back but I’m sure something else would consume me.
Karel Mc Intosh
Lol. Bring Facebook down? Naaahhhh.
It’s just that this flaw has prevented me from writing wild and witty status updates. I’m much too addicted to FB anyway. But, part of it’s allure and the resulting preference people have for it also lies in its security (especially when of late during site maintenance you end up seeing other people’s profiles).
But I’m with FB all the way.
Drew
RSS-enabling content from Facebook seems smart, but a lot of Facebook users only keep up their addiction because they know they can control who sees what they write.
So I think, the Bloglines issue to one side, RSS enabling friends’ Facebook content kind of undermines what has made it popular – the fact that only your friends see what you write.
And who ‘owns’ the RSS feeds and their content? Open can of worms is this one.
David Brain
It really does go to show that you just HAVE to assume that everything you put up pretty much anywhere is discoverable. Duller world I know, but there you go.
David Brain
PS: Newcastle top of the Premier League. City second. Nice.
Stephen
That’s true. It’s certainly made me wary about what I write there. My analytics tells me I’ve had a few visitors from the people at Facebook so maybe they’re working on it.
I know! Great news! Now if we can just keep it up for the rest of the season…
jdid
who’s bringing facebook down and how can I sign up
Karel Mc Intosh
Jdid, why do you want to bring down Facebook?