In a shocking revelation made by a group of security researchers, it was demonstrated how a Java based tool can be exploited in order to extract personal information from Facebook user profiles, even when they are not publicly accessible.
Apparently, the tool, dubbed Facebook Pwn, kick starts its mission by creating a fake account which tries to befriend all users in the targets ‘friend list’. Then it chooses one of the users from the victim’s contacts and hijacks his/her identity, and then sends a new friend requests to the victim himself.
If the request is accepted, the tool instantly downloads all the personal information, images stored and safeguarded in the profile with privacy settings- meaning even if the victim comes to know about what’s going on unfriend the fake account, the information would still be saved locally within the tool.
"(The tool) sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder," the description notes, according to this Network World report.