Hello everyone, today I want to share a bug I discovered back in 2018 while exploring Facebook’s privacy features. It was a subtle issue easy to miss but it had a meaningful privacy impact. This finding was eventually rewarded by Facebook after review, and I thought it would be useful for other researchers to understand how such small UI leaks can expose sensitive information.

🔍 Finding Summary

In 2018, I identified a privacy flaw in Facebook’s workplace section. Even when a user set their workplace visibility to “Only Me,” it was still possible for friends to indirectly discover that workplace through Facebook’s typeahead suggestions.

The issue came from the social context displayed in typeahead the small hint showing how many friends are associated with a workplace. Although the data was supposed to be hidden.

🛠️ Details

Facebook uses typeahead suggestions across the platform to help users quickly select companies, schools, and locations. These suggestions often include friend counts like:

“1 friend works here”

While testing, I noticed the following behavior:

1. I added a workplace to my profile.