A Belgian security researcher has found an unusual quirk in Facebook’s search function. Facebook lets you search for photos of your female friends, but refuses to play dice if you want to look up pictures of your male friends. The bizarre find was discovered this weekend by notorious Belgian white-hat hacker Inti De Ceukelaire.
Meer zelfs: bij het opvragen van foto’s van je mannelijke vrienden, gaat Facebook er van uit dat je foto’s van vrouwen wou gaan bekijken. *Facepalm* pic.twitter.com/lIOBtAnvla
— Inti De Ceukelaire (@intidc) February 11, 2019
TNW has managed to replicate the glitch across several Facebook accounts. When you type “photos of my female friends” into the search bar, Facebook will return a seemingly-random selection of photos from your female friends.
Switching out “female” with “male” returns something completely different. Instead of pictures of friends from within your social network, you’re instead shown a selection of pictures from across the social network. In our experience, these came from accounts and groups we did not follow. Facebook will also ask if you meant to type “female,” assuming you mistyped your query.
Inti De Ceukelaire has made a name for himself over the past few years, thanks to the multitude of pranks he’s pulled, almost all with the aim of exposing security and privacy inadequacies within the services we use. In 2017, he used Facebook’s private search functionality to find the personal email address of Melania Trump, the current First Lady of the United States. Just a few months earlier, he searched for expired domain names on Donald Trump’s previous tweets in order to redirect them to a video celebrating his hometown of Aalst.
Broadly speaking, his modus operandi is to test the limits of the platforms he’s targeting without using the more aggressive tools and tactics of other hackers. Speaking to TNW over the phone, De Ceukelaire explained that this incident was no different, and he stumbled upon this quirky little bug merely by chance.
De Ceukelaire runs a site called StalkScan.com, which allows anyone to see what kinds of information their profiles are leaking, thanks to Facebook’s advanced Graph Search tools. Graph Search has been around in various forms since 2013, and allows users to parse through social data using natural language queries — queries like “photos of my female friends.”
Over the past few years, Facebook has quietly scaled back its Graph Search, removing it from public view and making it harder to access. That being said, it’s still publicly available, much to the dismay of De Ceukelaire. “I can’t believe this feature is still working,” he told me, somewhat aghast. “Nobody needs this.”
It’s unlikely Facebook is a fan of StalkScan.com. De Ceukelaire believes the social giant has taken steps to stop it from working, and over the past few months he has faced several temporary service disruptions. It was after one perceived incident that he noticed this weird quirk, purely by chance.
“I found that I could no longer filter by men, but it was still possible to filter by females” De Ceukelaire told me. Worse, he said, when he searched for photos of his male friends, Facebook would ask if he meant photos of his female friends.
Back to 2004?
If you’re feeling an overwhelming sense of deja vu, you’re not alone. The predecessor to Facebook was a deeply unsavory site called Facemash that allowed Harvard University students to rate their female colleagues based on perceived physical attractiveness. It’s a far cry from the now-hugely popular social network site, used by millennials and grandparents alike. Facebook has desperately tried to shed this deeply questionable part of its history for something more saccharine and innocuous.
It’s exactly for this reason why this glitch is so unfortunate for Facebook. It feels a bit like Facemash 2.0.
The main difference though is that this is almost certainly an innocent mistake, rather than the product of dorm-room shenanigans. Facebook continues to adjust and remove functionality from Graph Search as it figures out what to do with this moribund product. As it goes through this process, mistakes will almost certainly happen.
I should add TNW reached out to Facebook to hear their side of their story. Unfortunately, at the time of publication, they’re yet to issue a statement. If they get back to us, we’ll update this post.
Jessica spends 12 hours a day on the internet managing security for web assets and loves her macha tea