Is there a major security breach in Facebook’s mutual friending system? An article over at Loose Wire indicates that an engineering loophole has rendered it possible for someone to add another Facebook user to their friend list without mutual consent. Facebook’s mutual friending system can get a little tricky at times, but this particular fluke could be worrisome.
When Jeremy of Loose Wire received a Facebook invite in his email inbox from someone he didn’t know, he was perplexed, since he’s already a Facebook member. But he clicked on the invite link, which directed him to the regular Facebook login page. After logging in, he didn’t see any more information on the person that had sent him the Facebook invite. Jeremy then Googled the invitee’s name and found that he was already on this person’s friends list.
The odd thing is that the invitee was not, however, on Jeremy’s friends list, meaning the friendship was not mutual. The worrisome part about it all? The invitee could now see all of Jeremy’s profile information, and Jeremy could see none of his.
While this fluke has yet to be confirmed, there are a few standing issues regardless. Assuming that the email address Jeremy received the invite through is also the email address he’s associated with his Facebook account, then he shouldn’t be receiving invites from other Facebook users in the first place. Red flag #1.
Even legitimate Facebook invites typically don’t provide direct links to the invitee’s profile, so being redirected to the login page isn’t entirely atypical. But being on the invitee’s friend list without having them on your friends list is red flag #2.
The confusing aspect of this is the fact that certain actions on Facebook enable a user to view someone else’s profile for a definite amount of time, even if they’re not mutual friends. Should this be the case, then Jeremy’s situation could in fact be a friending “loophole” that seems to violate certain privacy standards found on Facebook. This may be something that Facebook needs to look into, especially if “fake invites” are at the core of this fluke.