Privacy Settings Bypassed: Hidden Likes Still Visible Through Facebook Reels

Facebook offers a setting that lets users control who can see the number of likes on their posts. For those who value privacy, setting the visibility to “Only Me” should ensure that no one else can view those numbers. It’s a straightforward option — simple in design and clear in purpose.

While using this feature, I found that it doesn’t work the same way across all parts of Facebook. Even if I hide likes on a post, those numbers can still be seen by others when the post appears as a Reel. This gap in privacy enforcement makes it possible for someone to see engagement data that I had explicitly chosen to keep private.

Description of the Issue

The problem occurs because the “Only Me” setting for like visibility is applied only to the main post view. When that same content is shown in Facebook’s Reels section, the like count becomes visible again to anyone who views it. This means that a privacy setting that works in one part of the app is ignored in another.

For example, I set my post’s like visibility to “Only Me” so that no one could see the total likes. On the post itself, the setting worked perfectly. But when I checked the Reel version of the post from another account, the total likes were clearly displayed.

Steps to Reproduce

  1. Log into Facebook on Android or iOS.

  2. Create or find a post and set the like visibility to “Only Me.”

  3. View the post — the like count will be hidden as expected.

  4. From another Facebook account, open the Reel linked to that post.

  5. Notice that the like count is fully visible in the Reel.

This test confirms that Facebook’s privacy settings are not applied consistently across its features.

Security and Privacy Impact

This behavior undermines user trust in Facebook’s privacy controls. When I choose to hide my like counts, I expect that choice to apply everywhere — not just in certain views. By exposing the numbers in Reels, Facebook allows:

  • Unintended data exposure – people can see engagement metrics that were meant to be private.

  • Privacy setting inconsistencies – users may believe their information is hidden when it’s not.

  • Potential for unwanted profiling – engagement data could be used by third parties to make assumptions about user activity.

Business Impact

From a business perspective, inconsistent privacy settings damage confidence in the platform. Privacy-conscious users may hesitate to post content if they feel their preferences are not fully respected. This could lead to:

  • Lower user engagement.

  • Increased support requests and complaints.

  • Negative publicity if privacy gaps are discussed publicly.

For a platform where trust is critical to retention, even small privacy oversights can have a big effect.

Conclusion

In this issue, I found that Facebook’s setting to hide likes on posts did not fully apply to Reels, allowing others to see like counts that users intended to keep private. This inconsistency shows how privacy settings need to work smoothly across all features to give users clear control over their information.

It’s an important reminder of the challenges platforms face in managing privacy across different parts of their apps.


Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more