Facebook Friends Lists Privacy Exploit

Lifting the veil on Facebook's hidden friends lists

A sneaky way to view hidden friends lists

Ok, So the privacy trick is more of a trick/workaround than an exploit, and is by no means some kind of security hole/security exploit, but it none the less gives up some data that most people would assume to be private.
The basic premise is very simple, though the execution is a little more complicated:

If you set your Friends list as private, but your friends do not, your friends list is not (entirely) hidden, and there is nothing you can do about it :P

The “exploit”, if you can even really call it that, relates to the privacy settings of your “Friends List” on Facebook.

If you are an active user of Facebook then you are most probably aware of the information you share and with whom you share it. Since the introduction of “friends lists” option,you are now able to group friends into separate lists and control what data you share with what groups of friends. For example if you grouped all of your work colleagues into a list, you could choose to hide that group of people from a particular update you choose to make (Job interview, fake sick day, etc).

The same is true of individual friends, you can choose to exclude, or include, individual friends from certain updates.

So far, So good.

One of the more interesting things that you can choose to share, or not, is your “Friends List”. These days it’s common for people to hide their friends list, for all kinds of reasons, perhaps out of data privacy concerns for their friends, to prevent a jealous ex-partner, etc.

To set your friends list to private, all you have to do is visit your profile > “Friends” > Edit > Select who to share with.

Facebook Friends List

Now, Once your friends list is set to “Only Me”

To test this out, I logged into one of my fake accounts asked a friend to log in to her account and assist me in testing.

Having set her friends list to “Only Me” when I visit her profile I only see our mutual friends:

Mutual Friends

So far, So good.

This is how most people would assume the settings we have would work, but by delving a little deeper, we can find a few more people that are on this (supposedly hidden) friends list.

Now what we need to do is go ahead and visit our profile, click the little cog, and select “View As…”

View As...

Then we simply view the profile as the friend with the hidden friends list.

This is where shit starts to get real, yo.

Scroll down a little and you will see a box like this:

Mutual Friends

Now, these are all people with a mutual friends between them and the person with the hidden friends list, but also these are people that are NOT friends with them (otherwise they would show as mutual friends).

So, from here we can say with certainty that the person with the hidden friends list has, at least, 38 friends, already something we were unable to say before.

So what we need to do now is get the profile ID’s of both these people.
An easy way to get a persons profile ID is to extract it from their profile picture URL.
So first if we visit the profile of our friend with 38 mutual friends, right click on the profile picture, and select “Open image in new tab” (Assuming you are using Chrome, if you aren’t, then you should)

So, with that, the profile picture should pop open in a new tab, in the address bar of your browser will be the file URL of the photo.
My photo, for example, has the following URL:

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-ash2/174396_510050360_274625347_n.jpg

The profile ID is the long number in the middle of the JPG file name.

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-ash2/174396_510050360_274625347_n.jpg

So, once we have the two profile ID’s we are almost home and dry!

The next step is to compare the mutual friends that these 2 people share and take a look at who those 38 people are.
To do this we simply replace the **********’s in the URL below and paste it into our browser.

The result:

Mutual Friends

A big list of all of the people that are friends with our friend with the hidden friends list..

All you need to do from here is visit those profiles, extract the profile ID’s and run the mutual friends URL again.

Theoretically you could run that with all of the friends that you discover and build up a very substantial friends list for our friend with the hidden friends list.

The only exception to this would be where both people have a hidden friends list meaning they don’t show up on the mutual friends list that we generate.

So, with a bit of derping around, the once hidden friends list can become almost entirely visible.

Why the fuck you would want to do this, I don’t know, you probably need help.

Just a nice reminder to be careful about what you share on Facebook and, as always, the security of your data is only as secure as its weakest link.

If that weakest link is some dumb kid you went to school with 10 years ago, where he stuck crayons up his nose, then you may wish to review what you share with them…