Last Updated: May 27th, 2013

Stop me if you've heard this one before: Facebook has a privacy hole that exposes private information to the public. And it's a serious one, this time in Facebook Pages Manager for Android, which has been installed over 5 million times since January of this year. Let me explain.

Update 5/26/13 11:30pm PT: Rory from Facebook Security has informed me that the company is looking into the issue and "will try to get a fix up soon."

Update 5/27/13 06:28pm PT: Facebook patched the issue.

The Flaw


Yesterday, Android Police reader Joann MacDonald tipped us off to a critical bug in the aforementioned application created by Facebook to help Facebook Page admins manage their Pages. The Android app, originally launched on January 4th of this year and currently sitting at version 1.4, has a private messaging feature, predictably called Messages. Messages lets Page managers communicate with Facebook users who contact Pages and is essentially the Facebook equivalent of email. Email that supports picture attachments.

Here's the problem. Right now, if a Page manager of any Page, say AndroidPolice, replies to any private message and attaches a picture in this private reply, this picture will be immediately and very publicly posted to the wall of the Page. To everyone visiting the wall, which is usually the first thing you see when you go to a Page on Facebook (in our case facebook.com/AndroidPolice), the photo will look like a regular message posted with Public settings by the page itself.

Joann wrote:

I sent a PayPal screen dump to a customer who thought her payment never went through, and went straight to my page showing her name, address and value of order and payment status. It's caused me major stress as you can imagine.

According to Joann, several attempts to contact Facebook were made but all were left unanswered (everyone, feign surprise). She added:

Don't want anyone else being cost money... bloody thing cost me 80 quid in giving a free bracelet to the customer :-)

We verified that this bug is present in the Android version 1.4 of Facebook Pages Manager and does not manifest itself if you use the Facebook site. We have not tested the iOS app.

Flaw Demo

Here is the test we carried out:

  1. I messaged the AndroidPolice page from a personal account (Artem Russakovskii) and attached a picture I called Test ("We'll do it live!"). As expected, only the Page managers and I could see this message and the picture within.
  2. A page manager then replied to this private message by going to the Messages tab in the Android app, then tapping on the private message and attaching a picture we called Test2 (the Android Police wallpaper with the chrome Android).
  3. At this point, this privately sent picture was immediately posted to facebook.com/AndroidPolice and started rapidly accumulating Likes by unsuspecting page visitors who were under the impression that they were just looking at an AP wallpaper we posted to share with them.
  4. As you can see from the last screenshot, the private picture was uploaded by the Android app to a public area called Android Police's Photos under Timeline Photos, and its thumbnail was even visible right under the header next to the About section.
  5. Yup, Shared with: Public, as if we had any doubt by now.
  6. As I mentioned, the next picture (a green Android Police badge), sent via Facebook's desktop site, was correctly limited to the private conversation and was not visible to the public. The issue is limited to the Android app.

Screenshot_2013-05-26-12-16-11 Screenshot_2013-05-26-12-15-38 Screenshot_2013-05-26-12-15-10

Test2 was sent by the Page to the user in a private message (middle) but immediately showed up in public (right)

5-26-2013 1-17-18 AM 5-26-2013 1-16-28 AM 5-26-2013 1-24-27 AM

The same view from Facebook's desktop site

Note: I have selected the full disclosure route in reporting the incident in hopes that Facebook will no longer have the option to ignore or brush it off (I have found at least three Play Store comments in the last week that have echoed this concern, and Joann's own attempts to contact Facebook were futile). Considering that this is not even a vulnerability or an exploit but rather a PSA (the more Facebook Page managers and users are aware of it, the better), this disclosure method is perfectly fine here.

As Joann's example above showed, the privacy violation could be very serious in certain situations exposing personal details and other sensitive information, and Facebook should fix it as soon as possible. We'll keep you updated on the progress.

Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • David Margolin

    great find... hope facebook fixes soon

  • fed up

    So how long until JoAnn gets arrested and thrown in jail a la Weev... I'm guessing APs phone records are being reviewed as we speak. Sigh.

  • http://alan.cramer.id.au/ Alan Cramer

    Simple solution to everyone's problem... Get off Facebook.

    • http://GPlus.to/Abhisshack Abhisshack

      and use Google+

      • Christopher Theofilaktos

        I wish it was that easy :(

    • http://www.modminecraft.com/ Nick Coad

      Unfortunately the majority of any company's audience is almost definitely on Facebook as opposed to any other platform.

      You'd need the audience to change, and since this isn't a problem affecting the audience but rather the businesses, it's not likely to happen on the back of something like this.

  • Goldie

    What's the point of FB if they can't dismantle dangerous bugs that exposes people personal details - I feel I should close my account.

  • heat361

    Facebook should fix this problem and their crappy app for android while their at it.

  • Merri Mogridge

    Things like this are why i refuse to install Facebook or any of it's affiliated apps anymore.

  • Universal_Mind

    Slow demise of their image and the company.What a shame. Stock Tuesday will
    continue to fall.

  • Could be Anyone

    Its facebook what do you expect.

    They don't want anything to be private they want everyone to see all your private details so the whole world loses their anonymity which opens up more opportunity to bully and abuse others from the convenience of your own home.

  • FrillArtist

    I pity the idiots that think Facebook is secure.

  • http://www.bordersweather.co.uk/ Andy J

    I would act shocked and surprised - but everything is broken on Facebook these days. 2 years ago I decided to use the "change my username" feature which worked correctly but broke XMPP chat support. I am no longer able to connect to the Facebook XMPP server via my old username or my new one. I spent 6 months trying to contact Facebook and once I got a canned message back from them that had no useful information at all. I still have not resolved the problem 2 years later so I just gave up. It seems the only way to get Facebook's attention is via the Press.

  • Dan Morrill
    • http://www.androidpolice.com/ Artem Russakovskii

      Thanks for the link, Dan. Pinged them via that form.

  • sonyfony

    I find that Facebook apps have more buggs than a WB cartoon, yet ppl still use them!

    • smithers85

      can you please just type out the word "people"? please? jesus christ.

      • Disqus Sucks

        Can you please just capitalize correctly? Please? Jesus Christ.

  • flosserelli

    "Privacy" and "Facebook" should never be in the same sentence.

    • Bloodflame87

      Well that depends how the sentence is structured. For instance, a valid sentence with both those words would be: "Facebook fails at privacy time and time again"

  • Chris Winkley

    Google plus ....

  • squiddy20

    Why do you think I haven't used the official FB app in over 2 years? Friendcaster FTW

    • http://www.androidpolice.com/ Artem Russakovskii

      That wouldn't help you in this situation.

  • DD

    [Generic 'Look, I'm smurt because I'm trashing Facebook' comment #58]

    • Could be Anyone

      u mad bro?

  • http://www.facebook.com/benjamin.pavel Benjamin Pavel

    Bottom line ?
    Facebook has WORST App and Web developers.
    For such big company it surprises me that they always have problems with their web and app version.

  • Miah

    Junk of an app, why didn't they just integrate it to Facebook? Then again Facebook is bloated crap. Billion dollar company can't even make a decent app.

  • Omar Al Matar

    Facebook's apps make me cry