Facebook patched a bug that let anyone find out which private groups you’ve joined

The operation reportedly used AI-generated Facebook profile photos to spread government propaganda about Beijing's interests in the South China Sea.
Credit: Book Catalog

Facebook recently patched two bugs in its systems that let a non-member check if you’re a part of a certain group and draw up a list of members from the same city.

Usually, if you’re part of a group, you can check out fellow members’ profiles. But it’s not possible when you’re not part of it – especially when the group is private.

Security researcher Mohamed Shariff found a pair of bugs that allowed non-members to check group members using queries in graphql, a query language developed by Facebook. The first vulnerability was that attackers can see members of a group with the same city or the same university. And the second bug allowed a non-member to check if a person is part of a group.

Shariff reported this bug to the company in August. A Facebook spokesperson said that the bug was patched and didn’t affect private groups that were hidden.

We found and quickly fixed a bug affecting visible private groups, allowing someone outside of that group to see if someone else was a member of it. The issue did not affect private groups that were hidden. 

With this info, attackers with malicious intent could target people that are part of a certain private group — and live in the same city as them. Or they could also build up a person’s profile using the private groups they’re part of to map their interests, and sell that info to a third party. This fix couldn’t come soon enough.

Did you know we have an online event about corporate innovation coming up? Join the Transform track at TNW2020 to explore how big companies stay relevant with new tech trends emerging every day.

Read next: 10 UX lessons I learned building my product from scratch