2015-08-13



Facebook launched its Messenger app for Android and iOS in 2011 with a default setting that shared its users’ geolocation data. Some news outlets picked up this potential security flaw but it wasn’t until this past May, when computer student Aran Khanna exposed the flaw and the story went viral, that Facebook updated the app not to share geolocations by default. Khanna was set to start an internship with the company this summer but after the story went viral, Facebook cancelled the internship.

Khanna exposed the potential security risks in the default geolocation setting by creating Marauder’s Map. The Chrome extension allowed users to pinpoint the location of anyone who was part of the same messaging thread on the Messenger app. It tracked their movement on a map based on time stamps. As the Facebook messenger app utilized latitude and longitude coordinates using their mobile device’s GPS, users were tracked through the extension within meters of their actual location. The consequences of the default geolocation feature were fully exposed and the story went viral – Mashable called it “a Facebook stalker’s dream,” and the story was picked up by The Guardian and the Huffington Post.

After the story went viral and the tracking tool was download 85, 000 times, Khanna disabled the extension at Facebook’s request. He details the incident in a study released this week:

"The afternoon of the 27th, one day after the Medium blog post's publication, Facebook contacted me. My future manager phoned and asked me not to speak to any press; however, I was told that I could keep my blog post up. By that evening, the global communications lead for privacy and public policy at Facebook called me to clarify Facebook's expectations that I not speak to the press, saying that his objective was to hamper the spread of what had become a damaging story."

Even though Khanna cooperated with all of Facebook’s requests, three days after the initial post, Facebook cancelled his summer internship. Less than a week later, Facebook released a Messenger update requiring users to opt-in to the location sharing feature.

Show more