Facebook recently patched two bugs in its systems that let a non-member check if you’re a part of a certain group and draw up a list of members from the same city.
Usually, if you’re part of a group, you can check out fellow members’ profiles. But it’s not possible when you’re not part of it – especially when the group is private.
Security researcher Mohamed Shariff found a pair of bugs that allowed non-members to check group members using queries in graphql, a query language developed by Facebook. The first vulnerability was that attackers can see members of a group with the same city or the same university. And the second bug allowed a non-member to check if a person is part of a group.
Shariff reported this bug to the company in August. A Facebook spokesperson said that the bug was patched and didn’t affect private groups that were hidden.
We found and quickly fixed a bug affecting visible private groups, allowing someone outside of that group to see if someone else was a member of it. The issue did not affect private groups that were hidden.
With this info, attackers with malicious intent could target people that are part of a certain private group — and live in the same city as them. Or they could also build up a person’s profile using the private groups they’re part of to map their interests, and sell that info to a third party. This fix couldn’t come soon enough.