Imagine the scenario.
You’re a woman in an abusive relationship with a man. Things have turned violent.
You leave the man, block his account on Facebook, and maybe even change your name legally as you want to start afresh.
You update your Facebook profile to reflect your new name.
Would you expect your ex-partner to be able to know what your new name is?
Common sense dictates that as you have blocked someone and *then* changed your name they wouldn’t be able to know that your profile has been updated to use a new name.
And yet, as one security researcher discovered, an unpatched flaw in the way Facebook handles account privacy allows precisely this to happen.
David Mathews, originally from Canada, currently based in London, contacted me a few weeks ago with his discovery that even if you block someone on Facebook your name remains dynamically linked to their profile.
In his example, demonstrated in the video below, an account with the name Daniella Smitherson blocks Jack Smitherson, and updates her Facebook profile with a new name (Sandra Halperson).
“Daniella has blocked Jack, and that should be it. However, in Messenger, her new name is displayed in Jack’s chat session with her,” says Mathews. “Also, should he request a copy of his data via the Your Facebook Information link it display her new name there too!”
Mathews contacted Facebook about the issue last month, concerned that Facebook users could be put in potential danger through the security issue, and that Facebook itself might have left itself open to accusations of breaching personal information laws:
“The block vulnerability is a serious privacy risk to Facebook users. It could disclose a client’s new identity to a stalker or someone that may wish to cause them harm. It is a serious legal and financial liability for Facebook worldwide considering new privacy laws being implemented globally.”
Facebook responded that it would not be offering Mathews a bug bounty, and did not plan to change Facebook’s functionality to prevent the leakage of users’ new identities to people they believed they had blocked:
“When considering the block functionality within our platforms the aim is to prevent the person being blocked from interacting further with the person applying the block. There are certain aspects of a profile which are always public, such as the name and profile picture. If you were to browse to the profile unauthenticated you will be able to see this information. Regarding the chat logs, blocking someone won’t limit their access to your past conversations as it is the future action we are aiming to prevent. You may be able to still send messages via these chats, however the individual on the other side should not receive the new messages.”
What do you think? Do you think Facebook could do more to protect users who change their names from people they have previously blocked? Are Facebook users likely to believe that blocking an account does more than it really does?
Clearly Facebook users who are using the block functionality in the scenario given above are not properly protecting themselves. If you worry that someone you were previously connected with via the site might be stalking you, the best advice might be to delete your account and start a brand new one under your different name.
That is if you want to remain on Facebook at all…
Leave a comment below.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.