Facebook’s API May Expose Private Status Updates

Facebook users who rely on the social network site’s ability to make status updates visible only to certain people may find their posts exposed publicly.

Technology expert Tod Maffin discovered the flaw while using a email marketing system that relies on Facebook’s API. 

Maffin says he relies on Facebook’s “Make visible to” feature in the Status Update post box to restrict his status updates — some of his more personal updates are sent only to those on his “Close Friends” and “Family” friend lists. However, when using the email marketing system, he discovered that the site pulled all status messages, regardless of any restriction, from Facebook’s Application Programming Interface (API), a system through which web sites exchange data.

“I was pretty stunned,” said Maffin, senior strategiest and COO of tMedia Strategies in Vancouver. “All this time, I’d assumed those posts were kept off any sort of public feed.”

Maffin uses Mailchimp for his email marketing campaigns. The email provider uses codes to pull dynamic content from social media sites like the sender’s most recent tweets or most recent Facebook posts. Facebook’s code appears to distribute all status updates, regardless of any restriction setting, to applications using its API. This is not specific to Mailchimp; any web application relying on Facebook’s API would be able to read this content, provided the application is authorized with Facebook (which is necessary to be able to dynamically link Facebook content).

Maffin has documented the flaw on his website at www.todmaffin.com/friendsplittingbug.