"The vulnerability allows attackers to discover (more precisely: reconstruct) the private Friends List of any Facebook user," he noted, and added that he had reported the vulnerability to the social network.
But Facebook doesn't consider this to be a privacy issue. "We include this explanation alongside the friend list visibility setting: 'Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in News Feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline'," they explained.
Priel isn't satisfied with the clarification. "It’s like saying: 'We have a mechanism named Edit Privacy, but guess what? You won’t get any privacy.' Maybe Facebook needs to change this configuration item to Edit Display or something like that, because this is actually what it is."
What's more, you don't even have to be a friend with a user in order to discover who's on his or her hidden Friends List.
He explained the methodology for the attack in a blog post, but he also created the Facebook Hidden Friends Crawler, a POC tool that automates it.
It's unlikely that Facebook will change the feature in the near future, so users are advised not to consider the private Friends List to actually be private.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.