Hey all,<p>I work at Facebook, but this is not an official media statement.<p>This doesn't appear to be a Facebook bug that leaks anyone's private email address. It appears that all the examples indexed in Google exist in Google because they were already published publicly on other Internet sites. We're committing a fix right now to stop indexing this page in Google, but even that wouldn't prevent email addresses from being published because it appears that users are already republishing their addresses in other non-Facebook venues.<p>For example, if you see <a href="http://www.facebook.com/o.php?k=afc4a7&u=1018862530&mid=21f667bG3cba9bc2G0G8" rel="nofollow">http://www.facebook.com/o.php?k=afc4a7&u=1018862530&...</a> in isolation, it appears to be divulging private information.<p>However, the original Facebook email that links to that page and contains the user's email address was republished publicly on a mailing list archive by the owner of the email address: <a href="http://games.dir.groups.yahoo.com/group/Living_Greyhawk/message/98175" rel="nofollow">http://games.dir.groups.yahoo.com/group/Living_Greyhawk/mess...</a><p>Does anyone see an example where this is not the case that constitutes a privacy leak?<p>Blake Ross
Google is indexing Facebook's "Opt out of emails from Facebook" page for email addresses that were submitted using the "Find a friend" feature.<p>I checked out the Google site and saw a few addresses in the format name.secret@blogger.com, which indicates these are the SECRET email addresses people use to post to their blogger sites. Pretty bad.
I can debunk the misconception that Google somehow crawled "private" or Gmail content to discover these links. How can I prove it? Because Yahoo crawled these pages too. Here's a screenshot I took of Yahoo returning similar pages: <a href="http://www.mattcutts.com/images/yahoo-facebook-leak.png" rel="nofollow">http://www.mattcutts.com/images/yahoo-facebook-leak.png</a> including a Gmail address. Yahoo clearly didn't discover that content via Gmail--it found it via public links on the public web. That's how Google found these pages too.
I wonder why we are seeing more issues about Facebook privacy issues recently. Is it because the coverage of this has made people start questioning their policies and looking into things that have not been researched or is Facebook becoming more lacksidasical about privacy as time passes? Or, have these things been said a lot in the past, and we are just now realizing the plethora of complaints?
Isnt it a bit more concerning that we can modify these peoples settings by clicking the links? (at least it appears we can)
I have not checked but there may be a way to modify the url string to view anyones email (sample URL taken from that guys post below)<p><a href="http://www.facebook.com/o.php?k=16531b&u=100001103986041&mid=271e1e0G5af35247bd79G8dbe4G46&c" rel="nofollow">http://www.facebook.com/o.php?k=16531b&u=100001103986041...</a>
<i>(warning- clicking this link will log you out of facebook with no prompt)</i><p>Or, perhaps a way to take the authentication hash + mid hash's from above to perform another function on someone elses account. (like changing the email, or changing privacy settings)
So, how did Google become aware of the existence of these URLs in the first place? I seriously doubt they're linked from another Facebook page.<p>Is Google harvesting links from secure pages using their toolbar or something? Are people's personal mails leaking through other means?<p>I noticed that a few of them are indexed by Google because someone decided to reprint the email - URLs and all - to their blog. But that's a rare exception,and obviously not the case with the author of the article.
It gets funnier... This poor sob just got their email revealed when i searched for<p>"Email Opt-Out | Facebook"<p>I can also disable facebook emails for them:<p><a href="http://www.facebook.com/o.php?u=1187719938&k=5fcf21" rel="nofollow">http://www.facebook.com/o.php?u=1187719938&k=5fcf21</a>
If your information is PUBLIC, what the HELL do you expect? There are so many good reasons to be irritated with Facebook's privacy debacle. This is <i>not</i> one of them.