Guess What? Your Facebook Friends List Is Never Private

Even if you've set your Facebook friend list to private, a vulnerability in the social media platform makes it easy for anyone to find it, whether accidentally or through more sinister means.

The vulnerability is simple: To see someone's full friend list, potential snoops or stalkers only need to create a new Facebook profile and send their target a friend request.

Then, thanks to Facebook's "People You May Know" feature, which mines friend networks to suggest new connections, the snoop will be able to see their target's friend list.

The target doesn't even have to accept the friend request for this to work.

The vulnerability was revealed by Irene Abezgauz, a vice president of product management at French security company Quotium, at the AppSec security conference in New York City on Nov. 21.

MORE: 7 Ways to Lock Down Your Online Privacy

Facebook's privacy settings appear to give users a range of options. Friend lists can be public; visible only to the user's own friends; visible to a subset of friends; or viewable by "only me." The last option supposedly makes the list private.

But Abezgauz showed that if a potential snoop sends you a friend invite, that person will be able to see everyone on your friend list, including friends who have their own lists set to private and with whom you have had no public Facebook interaction.

What's the danger of having your friend list exposed? Your friends might not have the same privacy settings that you do, which means their profiles, taken alone or in aggregate, could reveal personal information about you as well.

For example, many people make their current location on Facebook public. If most of your friends all list the same current location, it's a good bet that you're located in the area as well.

Facebook has been slowly rolling back its privacy options for years now. Just last month, the social media giant announced it would no longer let users hide their profile from strangers.

That means it's now easier for anyone to send a friend request to anyone else on Facebook, making this vulnerability even more dangerous.

However, it's still possible to limit who can send you a Facebook friend request: Go to your Account Settings, select Privacy, then select "Who can send you friend requests?" Clicking "edit" will allow you to choose between "Everyone" and "Friends of Friends."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • belardo
    So, when will the site be called "rapebook"?
  • Memnarchon
    Actually more like CIA/NSAbook... :P
  • koga73
  • Darkk
    Don't air your dirty laundry if you don't want people to know. Nothing on facebook is private!
  • Jim90
    An easy solution: DON'T USE FACEBOOK.

    There! job done.
  • back_by_demand
    Considering how people these days are attention seeking media whores, nobody will care
  • The_Trutherizer
    Stopped using this stupid site ages ago. Happier.
  • COLGeek
    To assume anything on FB (or any social network) is private in simply naive. Don't post anything you wouldn't want the whole world to know and you'll be fine.
  • sonofliberty08
    it was called Tracebook technically