When One Toggle Controls Them All: Active Status Sync Issue in Messenger Lite

While testing Facebook Messenger Lite on a device with multiple accounts logged in, I noticed something odd — and concerning. Changing the active status (online/offline) in one account was also changing it for all other logged-in accounts on that device, without any warning or consent.

Messenger Lite is supposed to let each account control its own privacy settings. Active status is a key part of that — it tells people whether you’re online and available to chat. Users often rely on it to appear offline when they want privacy. But in my testing, this independence between accounts didn’t exist.

How I Found the Issue

I first noticed the behavior when I switched between two accounts on the same phone.

I was logged into User A and turned off my active status so that no one could see I was online. Later, I switched to User B and saw that User B’s active status was also set to OFF — even though I had never changed it for that account.

Even stranger, when I toggled User A’s status again, User B’s status followed automatically. Messenger Lite was essentially linking privacy settings between separate accounts just because they were on the same device.

Steps to Reproduce the Bug

  1. Log into User A in Messenger Lite.

  2. Go to settings and turn off active status (set yourself to invisible).

  3. Switch to User B on the same device.

  4. Check active status — it will also be OFF, even though you didn’t change it for User B.

  5. You’ll also receive a notification about User A’s active status change while using User B.

  6. Switch back and forth between accounts, and you’ll see the active status setting mirror itself across all logged-in accounts.

Expected vs Actual Behavior

Feature Expected Behavior Actual Behavior
Active Status Toggle Each account’s online/offline setting should be independent. Changing one account’s active status changes it for all logged-in accounts on the same device.
Privacy Isolation Other accounts should not reflect changes made in a separate account. Status changes apply across all accounts, breaking privacy separation.
Notifications Notifications about active status changes should only appear for the account you’re currently using. Notifications for one account appear while using another account.

Privacy and Security Impact

1. Privacy Leakage Between Accounts
If I turn off active status on one account to appear offline, my other accounts also appear offline — even if I didn’t want that. This means people connected to those other accounts will think I’m unavailable when I’m not.

2. Broken Account Independence
Most users expect that having multiple accounts on the same device won’t link their privacy settings. This bug breaks that assumption, effectively tying different identities together in ways that could confuse or inconvenience users.

3. Contact Miscommunication
If one of my accounts is for work and the other is personal, a status change in one could unintentionally send the wrong signal to contacts on the other.

4. Weak Session Isolation
This behavior suggests that Messenger Lite might be sharing certain session-level settings across accounts, which could indicate deeper account isolation issues.

Why This Matters for Users and Businesses

For individual users, this is an unexpected privacy leak. If you maintain separate Messenger Lite accounts — for example, one for personal conversations and one for business — you might lose control over how each identity appears online.

For business users, it’s potentially more damaging. Imagine running a customer support account and setting it to always show as online, but then toggling your personal account offline. The support account would also appear offline, potentially creating delays, missed messages, and reduced trust from customers.

When privacy settings like active status are unintentionally linked, it erodes confidence in the platform and can cause real-world communication breakdowns.



Comments

Post a Comment

Popular posts from this blog

When an AI Search Engine Forgot Who It Was: A Bug Report That Changed Perplexity AI’s Identity

Image
 Back on March 11, 2024 , I discovered something oddly off about how Perplexity AI saw itself. I had just downloaded the newly launched Perplexity Chrome extension , even though I’d been using the mobile app long before that. Just for fun, I asked the most basic, yet revealing question imaginable: “Are you better than Google?” It seemed like the perfect litmus test for a product that claims to reinvent search. But to my surprise, the response had nothing to do with Perplexity. Instead, it launched into a comparison between ChatGPT and Google. I was stunned - this wasn’t a chatbot; this was Perplexity, a search engine. Why was it talking like it was just a wrapper for OpenAI? Curious (and confused), I switched to the app version and asked the same question. The response was identical: Perplexity was still comparing ChatGPT to Google, completely ignoring its own identity in the process. That’s when it hit me - this wasn’t just a UX quirk; it was a core product logic bug . It wasn...
Read more

Understanding Android’s One-Time Permissions and Their Privacy Implications

I recently came across something unusual in Android’s one-time permission system — something that doesn’t quite match the way it’s described in the official documentation. This is related to the permissions we often see when an app asks for access to sensitive resources like the microphone or camera with the setting “Ask every time.” According to Android’s official documentation, one-time permissions should work like this: When the app is visible and in use, it can access the requested resource. If the app is sent to the background, it may still access the resource briefly. If the app is completely closed — either by swiping it away or force stopping it — the permission is revoked immediately. That means, in theory, if I close an app after granting it one-time access, it should ask me again the next time it needs that permission. What I Found While testing, I discovered that Android doesn’t always revoke these permissions instantly when the app is closed. Instead, if ...
Read more

I Accidentally Gained Admin Access to a LinkedIn Company Page - No Verification Needed

I’ve been using LinkedIn for years as a way to connect with professionals, follow companies, and share my work. It’s a platform trusted by millions for networking and recruitment. Company pages are especially important — they act as the official voice of an organization, showing job listings, updates, and brand presence. Recently, while casually browsing LinkedIn, I stumbled upon something that made me stop and rethink how secure this feature really is. I found that it’s possible to take full administrative control of certain company pages without any verification at all. No company email, no proof of employment, no review by HR or LinkedIn — just instant access. How I Discovered It It all started with a LinkedIn post about a drone technology company. Out of curiosity, I clicked through to see their LinkedIn profile. The page didn’t look like the usual auto-generated company pages LinkedIn creates when several employees list the same workplace. Instead, it looked like a manually create...
Read more