Facebook Revokes Internship After Student Exposes Messenger Flaw

When a Harvard student built an application that exposed a privacy risk, Facebook yanked his internship offer.

Facebook Revokes Internship After Student Exposes Messenger Flaw
[Photo: Flickr user Canned Muffins]

Landing a high-profile internship is a coup for any college student. But even before Harvard student Aran Khanna began his internship at Facebook, he was already hard at work in his dorm room on a browser application that piggybacked off users‘ location data on Facebook Messenger.


Rather than impressing former Harvard dorm room hacker and Facebook founder Mark Zuckerberg, Khanna’s application was speedily shut down. Facebook then rescinded Khanna’s internship offer.

This, from the company that touts a culture embracing the “hacker way”–written all over its walls, according to Molly Graham, who managed culture and employment branding for two years at Facebook–seems more than a bit hypocritical. Especially considering that Graham once said, “Companies tend to reflect everything about them—their personality, strengths, weaknesses. So when you start defining culture in an intentional way, first look at yourselves. If you’re not a founder, look at your CEO and the people who were there at the very beginning.”

What happened?

Despite the title of a post he penned on the blogging platform Medium titled “Stalking Your Friends,” Khanna started innocently enough. An avid user of Facebook’s Messenger, Khanna writes:

When you send a message from the Messenger app there is an option to send your location with it. What I realized was that almost every other message in my chats had a location attached to it, so I decided to have some fun with this data.

He created a Chrome extension called Marauder’s Map that would use location data from Messenger to map where users were when they sent messages, which was accurate to within three feet. Khanna pointed out that even without the use of GPS or a mobile device, Facebook was pushing location data out with every message sent by default, and he could track users he wasn’t even friends with, but who took part in group chats.

Apparently, Facebook was aware of this privacy flaw for three years, according to a report on


Khanna wrote:

Let me reiterate that I still find Facebook Messenger extremely useful and use it religiously, albeit with location sharing now turned off. This may lead you to wonder if there really is a problem here, since there is always option to not share your exact coordinates with messages. However, everyone I have shown this extension to has been anywhere from surprised to appalled that this much of their very personal data is online for their friends (and even complete strangers) to access. So it seems that there is an issue.

Over the next three days, Facebook deactivated location sharing from desktops and asked Khanna to disable the app (he did). Then Facebook asked Khanna not to report for work at the internship. The reasoning was that Khanna had violated the social network’s user agreement when his application used data from the site. Furthermore, Facebook asked him not to speak to the press, and told him that his Medium post didn’t meet Facebook’s ethical standards for interns.

Shortly after, reports, Facebook released an update to the Messenger app that pointed out how much control users had over sharing their location information and a spokesperson said it had been in the works before Khanna’s application went viral.

Facebook continues to trumpet its company culture as one of inclusion, collaboration, and creativity. The company hosts regular hackathons which aim to “take ideas you haven’t had a chance to focus on and think about them in a different way,” according to organizer Pedram Keyani, and executives are fond of mantras such as “move fast and break things” and “nothing at Facebook is someone else’s problem.”


The latter phrase is found on a sign that was hung anonymously, and the idea spread throughout Facebook’s campus. “No one owns the culture,” said Lori Goler, VP of People at Facebook, “It’s autonomous and decentralized; we all own it together.”

Yet users, regulators, and critics alike have taken the company to task for failing to be as open with those outside of Facebook’s walls. For example, an abbreviated privacy update a few months ago illustrated that, even after writing its user guide in more colloquial terms, Facebook still has a long way to go to really explain its confusing policy.

This latest news seems to reinforce the notion that what’s good for Facebook is only good within its auspices. In this way, the company not only appears contradictory about its core values, but it is failing to do the things that innovative companies must–like listen broadly to customers, understand them, and organize teams to include those who have a stake in the innovation.

Instead, Facebook is keeping its audience of 1.4 billion people at arm’s length, regardless of whether they support the hacker culture or operate using its principles to enhance their own little corner of the social network.

About the author

Lydia Dishman is a reporter writing about the intersection of tech, leadership, and innovation. She is a regular contributor to Fast Company and has written for CBS Moneywatch, Fortune, The Guardian, Popular Science, and the New York Times, among others.