Facebook: Clear Your Invite History

On The Internet, Security and Privacy

Security and privacy alert:  a friend of mine had an issue with his Facebook account.  He thought he may have been hacked, but he also could have been victim to the recent rash of malware, click-jacking and scams that have taken over Facebook in an epidemic as of late.  What I didn’t realize was that Facebook keeps a list of potential friends that you may invite to join Facebook.  Read on to discover a couple of inherent dangers.

How this happens:  Facebook has a utility that logs into your email account of choice, and retrieves all of the email addresses.  It then matches these addresses against those friends of yours you have already connected with.  Those that remain are potential friends you can invite, by sending invitation emails to the friends you select.  It seems innocent enough, but consider these two facts:  first, sending your email login information through a third party (in this case, Facebook) is a security risk in itself; second, Facebook does not tell you this, but it keeps all of the email addresses it retrieves in a list under your account…and does not tell you it does so!

In my friend’s case, either via a guessed password by a hacker or (far more likely) one of the rogue apps out there, friend invitations were sent out to over one thousand (!) email addresses that Facebook had saved in his account.  It took him awhile to clean up the aftermath.  Consider this:  in your old email addresses, you probably have former and current employers, ex-girlfriends, relatives you’d rather not speak to, potential clients, etc., and you’ve just exposed all of them to the existence of your facebook account.

He found that he could purge his lists by following this link:  http://www.facebook.com/invite_history.php .  I followed it myself and discovered I had about 588 addresses Facebook had spidered from my own email account.  I immediately purged everything I found.

What disturbs me more than finding these hidden addresses was the fact that nowhere did Facebook clearly tell me that it would save all of the email addresses it found.  It is like a lot of their policies:  introduce new “features” but bury them, and in some cases, default the new features to “show all of my information to everyone.”   And think of the potential, my dear readers: a spammer who can make someone click on their rogue application’s link can then spam everyone whose address is saved in that person’s friend invitation list!  Powerful.  And really below the belt.

Stay safe out there!