Skip to main content

Facebook design flaw let thousands of kids join chats with unauthorized users

Facebook design flaw let thousands of kids join chats with unauthorized users


‘We recently notified some parents... about a technical error,’ a Facebook representative said

Share this story

Illustration by Alex Castro / The Verge

Facebook’s Messenger Kids app is built around a simple premise: children shouldn’t be able to talk to users who haven’t been approved by their parents. But a design flaw allowed users to sidestep that protection through the group chat system, allowing children to enter group chats with unapproved strangers.

For the past week, Facebook has been quietly closing down those group chats and alerting users, but has not made any public statements disclosing the issue. The alert, which was obtained by The Verge, reads as follows:

We found a technical error that allowed [CHILD]’s friend [FRIEND] to create a group chat with [CHILD] and one or more of [FRIEND]’s parent-approved friends. We want you to know that we’ve turned off this group chat and are making sure that group chats like this won’t be allowed in the future. If you have questions about Messenger Kids and online safety, please visit our Help Center and Messenger Kids parental controls. We’d also appreciate your feedback. 

Facebook confirmed to The Verge that the message was authentic, and said the alert had been sent to thousands of users in recent days. “We recently notified some parents of Messenger Kids account users about a technical error that we detected affecting a small number of group chats,” a Facebook representative said. “We turned off the affected chats and provided parents with additional resources on Messenger Kids and online safety.”

The bug arose from the way Messenger Kids’ unique permissions were applied in group chats. In a standard one-on-one chat, children can only initiate conversations with users who have been approved by the child’s parents. But those permissions became more complex when applied to a group chat because of the multiple users involved. Whoever launched the group could invite any user who was authorized to chat with them, even if that user wasn’t authorized to chat with the other children in the group. As a result, thousands of children were left in chats with unauthorized users, a violation of the core promise of Messenger Kids.

It’s unclear how long the bug was present in the app, which launched with group features in December 2017.

The privacy flaw is particularly legally sensitive because Messenger Kids is designed for children under the age of 13, and thus subject to the Children’s Online Privacy Protection Act (COPPA). Some privacy groups have already accused Messenger Kids of violating COPPA by collecting user data, and this latest privacy flaw will only heighten those concerns.

The issue also comes at an awkward time for Facebook as a company, which is currently settling charges related to Cambridge Analytica with the Federal Trade Commission. The settlement, which could be publicly revealed as soon as this week, is rumored to include a mandatory privacy committee and $5 billion in fines for Facebook as a company, but no move towards personal liability for CEO Mark Zuckerberg. As a result, it has been widely criticized as insufficient to force the company to adopt stricter privacy protections.