The security flaw was found by new Facebook-watching blog FBHive. Originally reported to Facebook on June 7, the bug went unfixed until yesterday.
"With a simple hack, everything listed in a person’s “Basic Information” section can be viewed, no matter what their privacy settings are. This information includes networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, looking for, political views and religious views," said a June 22 posting on the blog. "We have already reported this bug to Facebook on June 7th 2009, through multiple avenues, but it has received little attention. Hopefully this incites a little more action from them."
Carried out when editing personal information on a profile, the attack was executed by changing the profile ID parameter in the HTTP POST request. The researchers did this using Tamper Data, a plug-in for the Firefox browser that enables users to edit HTTP POST request parameters with the help of an easy-to-use graphical user interface.
To prove that the attack worked, the team posted the personal phrasebook information of several Internet celebrities, including Cory Doctorow, the editor of the popular blog Boing Boing, and Facebook CEO Mark Zuckerberg.
Although the blog originally highlighted the flaw on June 22, it did not immediately demonstrate how it was done. Instead, it stated that it would be posting a demonstration in the next few days, giving Facebook's security team further time to fix the bug.
The authors posted a video demonstrating the attack yesterday, but by this time, Facebook's security team had been in touch and fixed the bug.
The blog authors acknowledged the fix, and made it clear that the attack shown in the video no longer works. It also removed the personal details it had posted online at Facebook's request.
"We have identified this bug and closed the loophole," Facebook said in a statement. "We don't have any evidence to suggest that it was ever exploited for malicious purposes."
However, this is not the first time that Facebook has experienced security problems. FBHive points to a report by The Register in 2007, highlighting a more complex attack that achieved the same result. And the company has also had to fix flaws that enabled unauthorized members to view others' private photos.