Newly discovered Facebook privacy flaw could harm those escaping abusers

Facebook says it's not a bug.

Stay informed on privacy and free speech rights

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

Facebook could be misleading its users about the effect that changing their name and/or blocking somebody on the platform actually has – by lulling them into a false sense of security while continuing to expose their information.

There’s a recently discovered block function vulnerability, where Facebook continues to leak identity information to those that have been blocked.

Namely, the platform allows blocked users to continue to have access to information of the person who blocked them, including by seeing the new, changed name on their profile.

This makes the act of blocking useless, and could be particularly harmful when it concerns exposing persons who are attempting to cut ties with stalkers or real-life abusers.

David Mathews, who discovered the vulnerability, demonstrated how it works in a video, that showed Facebook user “Daniella Smitherson” blocking another, “Jack Smitherson” to then update her profile with a new name.

Click here to display content from Vimeo.
Learn more in Vimeo’s privacy policy.

But Daniella Smitherson’s name is also updated to the new one, “Sandra Halperson,” in a past Messenger chat with the blocked user.

“Also, should he request a copy of his data via the Your Facebook Information link it displays her new name there too,” Mathews explained.

But when he informed Facebook about this discovery in October, the company’s reaction revealed that they considered this a feature, not a bug.

“The block vulnerability is a serious privacy risk to Facebook users,” Matthews wrote to the company, adding, “It could disclose a client’s new identity to a stalker or someone that may wish to cause them harm. It is a serious legal and financial liability for Facebook worldwide considering new privacy laws being implemented globally.”

The company responded by saying that the block function has the goal of preventing interaction happening in the future – without limiting anyone’s ability to see past chats.

At the same time, Facebook said, names and profile photos are always public. And from that, users are apparently expected to be aware that just blocking somebody and changing their name won’t end their exposure to those they have blocked.

In other words – if your goal is to protect yourself and your identity from potential harm from other users on Facebook, the only safe way is to delete your existing profile and create a new one from scratch.

But the important question remains of how aware Facebook users are about the effects of this vulnerability. Just as the social media giant will not fix it, so it seems unlikely that it will take active steps to better inform its billions of users.

Stay informed on privacy and free speech rights

If you’re tired of censorship and surveillance, subscribe to Reclaim The Net.

What’s your email address?


Get news, solutions, tools, and analysis to push back against censorship and privacy invasion.