Creepy Facebook Messenger Stalker App Gets Hacker Fired

WTF? Facebook Hires Hacker…Then Fires Him For Hacking (VIDEO)

Want to stalk all your friends and acquaintances using Facebook Messenger? Sorry, you can’t any more. But it was fun while it lasted.

“Creepily track your friends from FB messages,” reads the enticing description for the Harry Potterinspired Marauder’s Map app. And sure enough, Aran Khanna’s now-defunct browser extension for Chrome was downloaded over 85,000 times before Facebook had him take it down, and plugged the security hole that made it possible.

But the following screen grab shows how the Harvard student’s Marauder’s Map was able to reveal your friends’ and acquaintances’ geographic location — within an accuracy of three feet! — based on data sent via smartphones with Facebook Messenger, often without their users’ knowledge.

Mauraders' map with Facebook  Messenger chat heads and geographic locations.
The Maurader’s Map app used data from Facebook Messenger to display the whereabouts of  your Facebook Messenger friends. (Screen grab: Aran Khanna/Medium)

As Khanna explains on Medium, an online blogging community, he started using Facebook Messenger as a college student to keep in touch with family and old friends and chat with new ones. And he soon noticed that the Facebook Messenger app on his smart phone had a strange habit of sending out maps with his geolocation along with his texts.

If you don't change your default settings, Facebook Messenger sends maps with your location, like the one shown here.
Do you want Facebook Messenger sending people your location along with your texts? (Screen grab: Aran Khanna/Medium)

Khanna then figured he’d “have some fun” with this, and programmed the Maurader’s Map app to show where your Facebook Messenger friends and acquaintances are. But when he finished, Khanna was shocked to realize the frequency and level of detail with which Facebook Messenger gathers and sends out the physical locations of its users throughout the day.

[contentblock id=adsense3]

It turns out that the information Facebook Messenger pushes out not only makes it easy to discover your friends’ immediate whereabouts, it also lays out their daily routines for the world to see. Oh, but it gets worse: Facebook Messenger was broadcasting people’s locations to people in your group chats, even if you haven’t “friended” them!

Stalker ex? Ultra-strict, religious parents who can’t let go? Alien life forms who need donors of your particular blood type in order to survive? If you’ve ever sent them a message on Facebook, you’d better watch out.

As Khanna explains:

You may not believe that there are enough of these location tagged messages to provide truly invasive data on any one person, since they must be on mobile, with GPS on, and choose to share their location for it to be sent… right?

What you should keep in mind is that the mobile app for Facebook Messenger defaults to sending a location with all messages.

That’s right. Sending maps that pinpoint your geolocation was Facebook Messenger’s default for the 200 million hapless souls Facebook’s founder and CEO Mark Zuckerberg claims are using the damned thing. Once Facebook caught wind of the Maurader’s Map, they patched Facebook Messenger up with an update and then patted themselves on the back in a smug and self-congratulatory press release:

 “With this update, you have full control over when and how you share your location information.”

Wow. That’s great news…Assuming your creepy stalker ex hasn’t already tracked you down to your home — where you’d recently chatted with someone via Facebook Messenger — and murdered you in your sleep. #ThanksFacebook.

Khanna Fired From internship For ExposinG Facebook Messenger’s Huge Privacy Violation.

So we all know how Khanna’s story ends, right? In the movie version, Facebook’s top brass checks out the Maurader’s Map, gasps in awe of Khanna’s technical prowess, and declares:

“Who IS this young hacker genius who saved us from massive lawsuits and potential ruin? We must hire him to take charge of our currently non-existent Secure and Awesome Customer Experience Department — or at least give him a hefty reward — right away!”

And why not? Facebook’s Founder and CEO Mark Zuckerberg also went to Harvard, launched a killer app from his dorm room, and once declared “move fast and break things” as the mantra for his company’s coders. In Zuckerberg’s 2012 pre-IPO letter/pitch to vulture capitalists investors, he even went on about how Facebook was a company of idealistic “hackers” who want to change the world:

[…] the vast majority of hackers I’ve met tend to be idealistic people who want to have a positive impact on the world. We have cultivated a unique culture and management approach that we call the Hacker Way.

But that’s not what happened at all. It turns out that Facebook had already hired Khanna for one of their highly sought-after summer internships. Alas, that internship was not to be.

Khanna told the Boston Globe that Facebook called him — just hours before his cross-country flight — and told him not to bother flying out to Silicon Valley. Not because Khanna embarrassed them by pointing out a major breach of privacy in Facebook Messenger, of course. But because, of Khanna’s post on Medium, as explained in an email from Facebook’s global human resources and recruiting chief:

“His [Khanna’s] Medium post [where he explained Facebook Messenger’s privacy flaw in detail] didn’t meet the high ethical standards expected [by Facebook] of interns.”

Furthermore, the Boston Globe got hold of Matt Steinfeld, who insists that Khanna was the one who was violating Facebook Messenger users’ safety and right to privacy.

“This mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people’s privacy and safety. Despite being asked repeatedly to remove the code, the creator of this tool left it up. This is wrong and it’s inconsistent with how we think about serving our community.”

So now Facebook — FACEBOOK?!?! — gets to lecture some bright, geeky college kid about privacy and high ethical standards? That raucous cackling you hear (accompanied by a single loud thump) is the sound of this writer laughing her ass off.

Seriously, Facebook needs to get off their high horse. Because, really, Facebook’s a faceless corporation whose business model involves gleaning and hoarding massive amounts of personal data from users so they can serve us ads paid for by companies who first have to pay Facebook for their followers, and then have to pay over and over again to actually reach the followers they paid for.

Don’t get me wrong, I adore Facebook, in fact, I practically live there. I really don’t mind having ads show up in my feed — heck, sometimes I even click on them to make donations and actually buy things. But get real. Huge companies don’t become huge these days by giving even one sh!t about their users’ privacy or by embracing “high ethical standards.”

So much for “the hacker way” in Silicon Valley.

Khanna insists that he didn’t do anything harmful or morally wrong, he just wanted to bring Facebook Messenger’s gaping security hole to people’s attention. Nor did he “scrape” any proprietary code or anything that wasn’t already public. Khanna just used publicly available data and his own damn messages — with the GPS locations Facebook Messenger kept sending to his chat buddies — to figure out how to write the code for his app.

And guess what? The Maurader’s Map never would have worked had Facebook not carelessly and flagrantly violated the privacy of their Facebook Messenger users and put their safety in danger by setting the default to broadcast people’s coordinates. Khanna’s not even the first to publicly call attention to this massive lawsuit waiting to happen. CNET posted a video on how to keep Facebook Messenger from sharing your location way back in 2012.

Don’t worry about Khanna, he’s doing just fine. He landed on his feet with an internship for a different company, and also published a case study, “Facebook’s Privacy Incident Response: a study of geolocation sharing on Facebook Messenger,” that ought to get him respect in the high-tech, business and academic worlds.

But the really sad thing is how swiftly Facebook has morphed from an exciting, creative and innovative start-up that embraced hacker culture as a way to push boundaries and improve their product to a boring, uptight, soulless and cowardly corporation that would rather shoot the (Facebook) messenger who bears bad news instead of rising to the occasion and rewarding initiative.

And yeah, publicly shaming your future employer probably isn’t the best way to go about things. But without bright, arrogant young smart asses with awesome technical skills and less awesome social skills, most of Silicon Valley’s high-tech companies wouldn’t even exist. The high-tech industry was once a haven for idealists and brilliant creative types, but now, alas, it’s “matured.” Which is the nice word for “become as staid, conformist, risk-averse, money-grubbing and stifling as all of the other businesses in this country.”

Here’s the video with the news report on the whole flap over the Maurader’s Map and Facebook Messenger’s massive privacy flaw.

The Harvard University student Featured image/Composite: With apologies to Family Circus (via Pinterest)