Update 1: Facebook have now fixed this exploit, and have also ask we remove the pictures of proof below. We’re going to comply with their request, but expect a follow up story shortly on how we did it.
Update 2: Watch our video on just how we did it.
Facebook has long touted their privacy settings as being highly customizable and secure, so you can be more open and comfortable about sharing information with just the people you choose. But how would you feel if that information was accessible to anyone, anywhere, even if your account was COMPLETELY hidden?
FBHive, for our premiere feature article, is first to break this story.
In June 2007, The Register reported that Facebook Search could be utilized to sniff out private information. This is similar to what we have achieved, only our process is much more simplified and specific. With a simple hack, everything listed in a person’s “Basic Information” section can be viewed, no matter what their privacy settings are. This information includes networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views.
We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them.
So I suppose you want proof, right? First up, Facebook Founder and CEO, Mark Zuckerberg:
I can hear you already: “All that information is public knowledge. Anyone could fake that.”
Okay, how about… Founder of Digg, co-host of Diggnation and all-round cool guy, Kevin Rose?
Still not enough? Okay, one more. Co-editor of Boing Boing and famous blogger, Cory Doctorow:
According to Wikipedia he’s been happily married since October 2008. His Facebook profile only says he’s engaged.
If you still don’t believe us, feel free to leave a link to your Facebook profile in the comments and we will gladly tell you a little bit about yourself that you thought only your friends could see. (Edit: Since TechCrunch has now confirmed our exploit as real, we will no longer be offering further proof for individuals.)
We are not malicious hackers by any means, and our skills are far from advanced. We here at FBHive are fans of Facebook, but when a security hole as big as this is discovered and brought to their attention, it shouldn’t take 15 days to fix.
We can confirm that as of June 22, this hack is still working. In the next few days, we will be posting a follow-up article that details how we did it.
this is bad.
very bad
Comment byZafarali Ahmed — June 22, 2009 @ 11:06 pm
Fix this, Facebook!
Praying HR professionals / bosses won’t find out about this hack ;-)
Comment byBas Grasmayer — June 22, 2009 @ 11:24 pm
I would like to see you do this to my facebook…
I believe you can do it, I am just curious. =)
Comment byPhillip Reece — June 22, 2009 @ 11:32 pm
Can you get anything more than the info displayed in the article?
Comment byJan Vrsinsky — June 22, 2009 @ 11:33 pm
Not good! I too would be interested in knowing what other information can be seen on profiles by this hack. Thanks for letting us know about this!
Comment byJohn Stailing — June 23, 2009 @ 12:23 am
This profile of mine is a second one to which I don’t post any real pics of myself (for political safety reasons) there is a link to my regular personal one form pics only certain friends can see. So as you can imagine, I am quite concerned about this. Tell me what you can see and what I need to do to secure my privacy on FB.
Comment byAmiah Connel — June 23, 2009 @ 12:24 am
@Phillip – Since Techcrunch has vouched we’re legit, we’re going to lay off the hack for the time being, sorry.
@Jan @John – Anything listed in Basic Information. If you’ve set it: Networks, Sex, Birthday, Hometown, Siblings, Parents, Relationship Status, Religious Views, Home Neighborhood, Interested In, Looking For, Political Views and Religious Views.
@Amiah – You can remove the information or wait for FB to fix the problem. The information above is the only details accessible. As far as we can tell, your photos, posted items, wall etc are all secure! (at least from this exploit)
Comment by FBHive — June 23, 2009 @ 12:39 am
You’ll get someone’s attention, for sure. :) Good job and good luck with your new blog.
Comment byKevin O'Reilly — June 23, 2009 @ 1:18 am
Facebook have a poor security history – and as you have found are unresponsive to any kind of “heads up”.
I work for a security research firm and recently contacted them with a 4 page spread of exploits and bugs. No reply appeared! Im always interested in new exploits – I suspect we have the one you mention (potentially it is one I made public several months back) but it’s always interesting to compare notes – drop me a line if you fancy.
Comment byThomas Morton — June 23, 2009 @ 1:19 am
This has been fixed. Do you think you can tell us how you found it/how it worked?
Comment byRyan Glowstix Façade — June 23, 2009 @ 4:27 am
How can this information help, i don’t care about mine being leaked. My profile is open to all.
Comment byAnupum Pant — June 23, 2009 @ 4:33 am
http://www.facebook.com/ajax/profile/tab.php?id=4&v=info&href=&iframe=true&_log_src_tab_name=info&_log_dst_tab_name=info&ajax_log=1&viewas=4
They were likely using something like that
Comment byGabriel Malca — June 23, 2009 @ 5:50 am
thank for FBHive!!
GOOD JOB ^_^
Comment byIlham Dani — June 24, 2009 @ 2:05 pm
Incredible to see such a simple Online Reputation Management hack pulled right over Facebook’s eyes. It further validates that you can never assume any online data is private. I am glad to see that Facebook was quick to fix the hole.
.
- Pete Kistler (CEO, Brand-Yourself.com)
Tips to manage your online reputation: http://blog.brand-yourself.com
Comment byPete Kistler — July 3, 2009 @ 9:55 am
hi can u do me then my names is craig hall i have 1 frend on facebook i need the email as i for got it thanks
Comment bySonya Stead — July 13, 2009 @ 6:30 am
secure the facebook tips
http://www.4shared.com/file/126261675/a3f9ab20/securityFB.html
download tutorial Online hacking facebook
all in one http://www.4shared.com/file/125210338/849b719a/Hack_Facebook.html phising and hack email
Comment by zetank — August 20, 2009 @ 11:18 am
Wooowww i wish i can do that to my bfs facebook because he deleted his first one and then he made an other acvount and he said he doesnt have one but i know he got a new one and im not sure i will like what he has on it
Comment by Marie — November 21, 2009 @ 7:06 am
extra
Comment byEldin Ronaldo Agovi? — February 1, 2010 @ 9:06 am
can you hack back my old acc : patrick nich
Comment by patrick nich — February 17, 2010 @ 1:03 am
So the security threats spewing from Facebook are more than real, down right dangerous for some people. SO happy Facebook is free and we don’t have our CC info posted. Well.. With all the info Smuckersburg has on us all I’m sure that’s the next thing the poor guy will ask for. God Help Us All. FBHive Thanks for the work and kudos to you guys!
Comment by Jason D. — May 20, 2010 @ 3:42 am
Hey, people whtz up? dont waste ur time in such fool things… i tell u truth behind facebook hacking if hacking is easy like a piece of cake then everybody likes to eat,, (LAUGH OUT LOUDLY) there is no such kind of websites or blog who teach u hacking. Hacking is a skill which develop by hard practice, so TAKE A BREAK
Comment by Devilcode — June 23, 2010 @ 10:24 pm
heey here is the best facebook craker i have hacket over 100 acounts whit it
http://rapidshare.com/files/409664169/cyber.exe :) it a hacker program
it will show as a virus :P have fun hacking facebook :)
Comment by 4real — July 29, 2010 @ 7:05 am