11 Comments »Want a really great Facebook spam technique? This morning a Facebook user added me as a friend and then tagged me in a post without me approving their friendship request. The post was then displayed on my wall from a Facebook Page that user was administering. I’ve heard of similar issues in the past with tagging users in notes, however this is the first time that I’ve seen someone tag a user in a status update and have it displayed on their wall.
Does it present a huge risk to users? Not really. However it can be used to spam people aggressively. Simply add all the people who you’d like to post on their wall and then tag them in separate posts or one post which includes all of them. While you probably won’t be good at convincing that person to friend you, it may be worth a shot, until Facebook fixes this issue. This is also a huge risk in terms of users being harassed by others.
Imagine unfriending someone because your relationship went sour and suddenly you end up being tagged in a post which includes a compromising photo for all your friends to see. If you aren’t sitting next to your computer and aren’t in a position to log in via your phone, it will be difficult to limit the damage done. So how do you protect yourself? There’s a straight forward way to work around this apparent Facebook bug, although it will end up limiting all your friends, not just new users who are requesting to be friends.
While it’s a bit extreme, it’s useful for those users who what to take drastic action to protect themselves at all costs. In order to block users from tagging you in article posts, you’ll need to disable the ability for people to post on your wall. You can do that by going to the profile privacy page and uncheck the checkbox next to “Posts by Friends”. Keep in mind that this will completely block all of your friends from posting to your wall.
My guess is that Facebook will resolve this issue in a short amount of time, so unless you have bullies that are constantly harassing you or tons of compromising photos around the web, you can probably wait this one out.
Update
For those not clear of how this hack is done. Here’s the step by step process:
- Request someone as a friend
- Go to one of the Facebook Pages you administer (not your profile)
- Tag that person in an article that you link to
- Now it will show up on their profile
Update
Tom Whitnah of Facebook has posted an update in the comments stating that the security issue has been resolved.
fortunately, FB limits the number of tags you can use on a single post - six in a status update, 20 on a note, not sure about pix.
Hey Nick! Glad you noticed it!
Original post that informed about it:
http://www.facebakers.com/blog/11-new-facebook-profile-security-problem-unveiled/
Thanks for letting us know. And thanks Jan for the heads-up. I’m telling everyone (who has issues) to set their privacy to disallow friends posting until FB fixes this. I had a few mysterious posts show up — mystery solved.
so this hack only works if someone is a fan but not a friend?
i once requested someone as a friend, it was pending for ages, and while it was their updates were in my stream. this is a feature. it hasnt required reciprocal friendship for a while now
It’s the same thing with the news feed. Before a request is approved, info about the person will appear in the requester’s news feed.
and what tagging someone in a photo? Could it be the same thing?
However, I was tagged by a friend of mine and I can’t remove it. To solve the problem I disabled the tag option but I would like to remove myself just from this tag, not to ban it completely
tagging sounds great on Facebook!
FYI, this bug was fixed Wednesday afternoon.
http://news.yahoo.com/s/nm/20091117/lf_nm_life/us_words_unfriend
I think I just accidentally discovered that if you go into your privacy modes, and pick a friend to see how they “view” your profile, you can post on your own status updates AS that friend! I was browsing my page in the mode of another friend to see if they saw a comment, and I went to click into my own status update thread to respond to someone, but the picture by the blank field showed as HIM. I didn’t actually post to find out, but it was a bit unsettling nonetheless. I mean, people in a harrassing mood may be able to post discriminating comments from “you” under their own wall. Like I said, I’m not sure it would be a successful post since I didn’t completely try it, but the idea made me a bit nervous.