The video shows how this "discover parts of it" can be used together with simple queries to acquire profiles that likely share common friends with the target. Then it accumulates common friends with each of these. For the case of Zuckerberg, with a single start query ("People who like Spotify and Facebook Security and live in United Statesand work at Facebook") it produced 486 friends from Zuckerberg's friends list, a list he had marked as only viewable by his friends.
It might not be an exhaustive list, but it certainly shows a way to circumvent a protection most people think is in place, when they chose "only friends can see my friends list".
In other words, the title is far from "very misleading". This is what that vulnerability allows.
It might not be an exhaustive list, but it certainly shows a way to circumvent a protection most people think is in place, when they chose "only friends can see my friends list".
In other words, the title is far from "very misleading". This is what that vulnerability allows.