Imagine the scenario.
You’re a woman in an abusive relationship with a man. Things have turned violent.
You leave the man, block his account on Facebook, and maybe even change your name legally as you want to start afresh.
You update your Facebook profile to reflect your new name.
Would you expect your ex-partner to be able to know what your new name is?
Common sense dictates that as you have blocked someone and *then* changed your name they wouldn’t be able to know that your profile has been updated to use a new name.
And yet, as one security researcher discovered, an unpatched flaw in the way Facebook handles account privacy allows precisely this to happen.
David Mathews, originally from Canada, currently based in London, contacted me a few weeks ago with his discovery that even if you block someone on Facebook your name remains dynamically linked to their profile.
In his example, demonstrated in the video below, an account with the name Daniella Smitherson blocks Jack Smitherson, and updates her Facebook profile with a new name (Sandra Halperson).
“Daniella has blocked Jack, and that should be it. However, in Messenger, her new name is displayed in Jack’s chat session with her,” says Mathews. “Also, should he request a copy of his data via the Your Facebook Information link it display her new name there too!”
Mathews contacted Facebook about the issue last month, concerned that Facebook users could be put in potential danger through the security issue, and that Facebook itself might have left itself open to accusations of breaching personal information laws:
“The block vulnerability is a serious privacy risk to Facebook users. It could disclose a client’s new identity to a stalker or someone that may wish to cause them harm. It is a serious legal and financial liability for Facebook worldwide considering new privacy laws being implemented globally.”
Facebook responded that it would not be offering Mathews a bug bounty, and did not plan to change Facebook’s functionality to prevent the leakage of users’ new identities to people they believed they had blocked:
“When considering the block functionality within our platforms the aim is to prevent the person being blocked from interacting further with the person applying the block. There are certain aspects of a profile which are always public, such as the name and profile picture. If you were to browse to the profile unauthenticated you will be able to see this information. Regarding the chat logs, blocking someone won’t limit their access to your past conversations as it is the future action we are aiming to prevent. You may be able to still send messages via these chats, however the individual on the other side should not receive the new messages.”
What do you think? Do you think Facebook could do more to protect users who change their names from people they have previously blocked? Are Facebook users likely to believe that blocking an account does more than it really does?
Clearly Facebook users who are using the block functionality in the scenario given above are not properly protecting themselves. If you worry that someone you were previously connected with via the site might be stalking you, the best advice might be to delete your account and start a brand new one under your different name.
That is if you want to remain on Facebook at all…
Leave a comment below.
I dumped facebook two months ago and haven't looked back since.
I do agree with facebook explanation. The block option is only to block communication.
I think a better solution is to remove someone from your facebook contacts.
This may also not to be a perfect solution becouse of common friends.
The only true answer here is actually a question. Why are we still using Facebook? We’ve already established that they do not care about privacy at all. They steal our data. They use it in ways that aren’t appropriate. And now this. I have tried closing my account and found out that, surprise surprise, you can’t really “close” it. Your data does not go away. So I simply do not use it.
Great find!
Some other common examples in the UK of this being a risk are where Teachers and Police Officers change their last name on Facebook to avoid students or criminals using it to find, bully or worse.
A very good point!
Facebook "block" should work like on Twitter. When you block someone on Twitter, they won’t be able to follow you, see your tweets (including past tweets), tweet to you, retweet your tweets or DM you. They also can't see your profile.
https://www.guidingtech.com/twitter-block-vs-mute-difference/
Hmm.
Well, with Twitter if someone has blocked you all you need to do to view their timeline is log out of Twitter or create a brand new account.
Your view may vary, but I think Twitter and Facebook are fundamentally quite different in how they operate and users' understanding of their purpose.
Facebook could care less about your privacy. To them, it's all about the wallet.Here's something else to investigate- most of the ads they run go to sites with viruses and malware. I've visited a few of them and my virus protection comes up every time warning me, "You don't want to go there". Again, there's that wallet…
So the whole idea of blocking someone on Facebook etc, is to stop them from contacting you or replying to your posts, but there is a way for them to discover your new identity? What is the point of blocking them then, or am I missing the point?
Would I "expect" it? If you mean could I "predict" it, then yes I would have predicted exactly this. If I felt I had to establish a new identity to push someone out of my life, I assumed that at the very least I would need to flush my entire FB account and start a new one with that new identity and then rebuild my social network. But then again I'm a bit paranoid.
If you mean "do I have a reasonable expectation that changing my name on my FB account should, on its own, stop someone I've kicked out of my social circle from finding my new identity", then I'm not too sure about that either. If I had one or more mutual contacts with the bad actor, I'm guessing that the bad actor might find my new identity inside the list of friends posted by my friends.
The function that a person in this situation presumably wants is not merely to "block" the bad actor from connecting or commenting, but instead to "disguise my existence from" or "make me invisible to" such a person. Even this functionality comes with risk, as presumably FB would need to maintain linkage data to support what is now a "ghosting" relationship.
I can't believe Facebook's stance on this – perhaps Zuckerberg is a robot, and that's why he has no soul! He acts like a robot :-)
Thank you Graham . To me, I think, FB is #CultureThreatning and dangerous.