Privacy bug causes Facebook to disable chat

After video shows a profile-preview feature could expose users' private chats and friend lists, company calls it a temporary bug that was swiftly fixed.

Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Caroline McCarthy
2 min read

Some Facebook users' live chat messages and pending friend requests were briefly visible to their contacts this week, as the result of a bug in the massive social network's "Preview My Profile" feature. Facebook confirmed the contents of a video posted to TechCrunch Europe on Wednesday that demonstrated the flaw, and has temporarily disabled its live chat software, but denied that it was a large-scale security problem.

What exactly happened in the video? Facebook's privacy settings offer a feature called "Preview My Profile," which lets you type in the name of someone on your friends list and then see how that person sees your profile in accordance with your privacy settings. But it appears that somehow "Preview My Profile" actually gave the user in question a glimpse from inside the other user's profile, and so it displayed live Facebook Chat conversations and replaced the original user's list of pending friend requests with the user whose "view" was being previewed.

"For a limited period of time, a bug permitted some users' chat messages and pending friend requests to be made visible to their friends by manipulating the 'preview my profile' feature of Facebook privacy settings," a statement from Facebook read. "When we received reports of the problem, our engineers promptly diagnosed it and temporarily disabled the chat function. We also pushed out a fix to take care of the visible friend requests which is now complete." Indeed, when I checked on Wednesday morning, Facebook Chat was disabled.

What Facebook hasn't said is how many members were affected and for how long. But since previewing profiles is something many members do on a regular basis to check their privacy settings, and the hole had never popped up before, it's safe to assume that Facebook isn't bluffing here and that it actually was a temporary security glitch.

Still, this is not a good time--not like there's any "good" time--for Facebook to be experiencing a security issue that exposes private data. The company has recently come under fire for pushing even more profile data public by default and sharing even more with third-party partners through the Open Graph API and Social Plug-ins projectsannounced last month at its F8 conference. A coalition of U.S. senators has taken issue with Facebook's new privacy policies, and activist groups like MoveOn.org are on the company's case as well. Plus, there are reports of Facebook employees commenting offhand that founder and CEO Mark Zuckerberg "doesn't believe in" privacy.

Perhaps as a result of this recent negative press, appended to Facebook's statement about the recently discovered bug was a sentence assuring users that the company does, in fact, take privacy seriously: "We worked quickly to resolve this matter, ensuring that once the bug was reported to us, a solution was quickly found and implemented."