Stop me if you've heard this one before: Facebook has a privacy hole that exposes private information to the public. And it's a serious one, this time in Facebook Pages Manager for Android, which has been installed over 5 million times since January of this year. Let me explain.

Update 5/26/13 11:30pm PT: Rory from Facebook Security has informed me that the company is looking into the issue and "will try to get a fix up soon."

Update 5/27/13 06:28pm PT: Facebook patched the issue.

The Flaw


Yesterday, Android Police reader Joann MacDonald tipped us off to a critical bug in the aforementioned application created by Facebook to help Facebook Page admins manage their Pages. The Android app, originally launched on January 4th of this year and currently sitting at version 1.4, has a private messaging feature, predictably called Messages. Messages lets Page managers communicate with Facebook users who contact Pages and is essentially the Facebook equivalent of email. Email that supports picture attachments.

Here's the problem. Right now, if a Page manager of any Page, say AndroidPolice, replies to any private message and attaches a picture in this private reply, this picture will be immediately and very publicly posted to the wall of the Page. To everyone visiting the wall, which is usually the first thing you see when you go to a Page on Facebook (in our case, the photo will look like a regular message posted with Public settings by the page itself.

Joann wrote:

I sent a PayPal screen dump to a customer who thought her payment never went through, and went straight to my page showing her name, address and value of order and payment status. It's caused me major stress as you can imagine.

According to Joann, several attempts to contact Facebook were made but all were left unanswered (everyone, feign surprise). She added:

Don't want anyone else being cost money... bloody thing cost me 80 quid in giving a free bracelet to the customer :-)

We verified that this bug is present in the Android version 1.4 of Facebook Pages Manager and does not manifest itself if you use the Facebook site. We have not tested the iOS app.

Flaw Demo

Here is the test we carried out:

  1. I messaged the AndroidPolice page from a personal account (Artem Russakovskii) and attached a picture I called Test ("We'll do it live!"). As expected, only the Page managers and I could see this message and the picture within.
  2. A page manager then replied to this private message by going to the Messages tab in the Android app, then tapping on the private message and attaching a picture we called Test2 (the Android Police wallpaper with the chrome Android).
  3. At this point, this privately sent picture was immediately posted to and started rapidly accumulating Likes by unsuspecting page visitors who were under the impression that they were just looking at an AP wallpaper we posted to share with them.
  4. As you can see from the last screenshot, the private picture was uploaded by the Android app to a public area called Android Police's Photos under Timeline Photos, and its thumbnail was even visible right under the header next to the About section.
  5. Yup, Shared with: Public, as if we had any doubt by now.
  6. As I mentioned, the next picture (a green Android Police badge), sent via Facebook's desktop site, was correctly limited to the private conversation and was not visible to the public. The issue is limited to the Android app.

Screenshot_2013-05-26-12-16-11 Screenshot_2013-05-26-12-15-38 Screenshot_2013-05-26-12-15-10

Test2 was sent by the Page to the user in a private message (middle) but immediately showed up in public (right)

5-26-2013 1-17-18 AM 5-26-2013 1-16-28 AM 5-26-2013 1-24-27 AM

The same view from Facebook's desktop site

Note: I have selected the full disclosure route in reporting the incident in hopes that Facebook will no longer have the option to ignore or brush it off (I have found at least three Play Store comments in the last week that have echoed this concern, and Joann's own attempts to contact Facebook were futile). Considering that this is not even a vulnerability or an exploit but rather a PSA (the more Facebook Page managers and users are aware of it, the better), this disclosure method is perfectly fine here.

As Joann's example above showed, the privacy violation could be very serious in certain situations exposing personal details and other sensitive information, and Facebook should fix it as soon as possible. We'll keep you updated on the progress.