Even if you've set your Facebook friend list to private, a vulnerability in the social media platform makes it easy for anyone to find it, whether accidentally or through more sinister means.
The vulnerability is simple: To see someone's full friend list, potential snoops or stalkers only need to create a new Facebook profile and send their target a friend request.
Then, thanks to Facebook's "People You May Know" feature, which mines friend networks to suggest new connections, the snoop will be able to see their target's friend list.
The target doesn't even have to accept the friend request for this to work.
The vulnerability was revealed by Irene Abezgauz, a vice president of product management at French security company Quotium, at the AppSec security conference in New York City on Nov. 21.
Facebook's privacy settings appear to give users a range of options. Friend lists can be public; visible only to the user's own friends; visible to a subset of friends; or viewable by "only me." The last option supposedly makes the list private.
But Abezgauz showed that if a potential snoop sends you a friend invite, that person will be able to see everyone on your friend list, including friends who have their own lists set to private and with whom you have had no public Facebook interaction.
What's the danger of having your friend list exposed? Your friends might not have the same privacy settings that you do, which means their profiles, taken alone or in aggregate, could reveal personal information about you as well.
For example, many people make their current location on Facebook public. If most of your friends all list the same current location, it's a good bet that you're located in the area as well.
Facebook has been slowly rolling back its privacy options for years now. Just last month, the social media giant announced it would no longer let users hide their profile from strangers.
That means it's now easier for anyone to send a friend request to anyone else on Facebook, making this vulnerability even more dangerous.
However, it's still possible to limit who can send you a Facebook friend request: Go to your Account Settings, select Privacy, then select "Who can send you friend requests?" Clicking "edit" will allow you to choose between "Everyone" and "Friends of Friends."