Justin Sullivan / Getty Images
Shay Priel of The CyberInt Group, which focuses on information security and cyber warfare, recently revealed the hack in a blog post. He also reported the hack directly to Facebook.
The gist of the issue is that even if you set your personal friends list to be private, that doesn't exclude your friendship from showing up on your friend's newsfeed, on a list of mutual friends, or as Facebook puts it in a reminder in its settings, "If people can see your friendship on another timeline, they'll be able to see it in news feed, search and other places on Facebook."
So if you're friends with Sally, and I'm friends with Sally, when you go to my profile, you will see that Sally is a mutual friend, even if my friends list is private.
Priel claims that using Facebook Graph Search you can tap into this Mutual Friends list even without being friends with either user. So if you go to https://www.facebook.com/zuck/friends?and=ChrisHughes, you will see a list of Mark Zuckerberg and Chris Hughes' mutual friends, even if you aren't friends with either user, and despite the fact that Zuckerberg's friends list is private (Hughes' list is public, which is why this works).
You can reconstruct this hack yourself by looking through Facebook Graph Search for potential friends of a user with a private friends list. So for Zuckerberg, you could search "People that work at Facebook and live in the United States," which would produce Chris Hughes as a result. You then plug in the likely friend with a public friends list into the the Mutual Friends URL.
Priel even wrote up some code to automate this process to show how large a loophole this could be. You can download the code from Github at https://github.com/prili/fb-hfc.
When Priel reported this flaw to Facebook, they responded:
We do not consider this to be a privacy issue. We include this explanation alongside the friend list visibility setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in News Feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline.
So unless you make sure to only be friends with Facebook users that keep their friend list private, there may not really be such a thing as a "private friend list."