Slashdot Mirror
Facebook Flaw Exposed Private Photos
Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."
Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.
To offset political mods, replace Flamebait with Insightful.
If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.
That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.
You do not have a moral or legal right to do absolutely anything you want.
I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?
It's all related somehow...
"If any question why we died, Tell them because our fathers lied."
Considering hard links to your photos work for anyone on the internet, this isn't a surprise in the least. I wouldn't call it a hack at all.
I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
I posted something private and it was public???? SOMEBODY PASS A LAW IMMEDIATELY! /end sarcasm
Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?
A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg
No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.
A "bodybuilding" forum is reporting one of the biggest Facebook flaw I ever heard of? Or in other word, the biggest anti-geek place is reporting a really geek thing??
What's the world coming to??
Them's fightin' words.
This from the moron who shares his name and address with the entire world.
Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.
Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.
The CB App. What's your 20?
Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.
It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.
Both are true; but not terribly useful for most users.
i barely ever post ac
this worked great. i made a burn account this morning, logged in from my server in another country using x forwarding and a chrome session, and got some *very* excellent photos of an old high school crush. a mormon girl in a bright red skimpy bikini. i have filled the fap data bank from high school back up for a few months, to say nothing of the photoshopping that is to be of her face.
it was exhilarating to gain access to her account. i tried it on other girls i have crushed on too, and although none of them had the same results, today was a day i will look back on fondly, with my pirate hat fanning my perspired face and all my new digital booty.
thanks facebook for giving me something i should never, ever have had. her private bikini photos were just for her boyfriend, but your crappy api let me be a fly on that wall for mere hours of undisputed glee.
This flaw in Facebook has been known to the internet since 2009.
I remember there was this one image floating around on 4chan for a while showing people how the flaw worked. All it consisted of was some messing around with the URL, and you could see any person's private images, whether they were on your friend's list or not.
I can't help to think this is why more emphasis on QA and staging changes appropriately and testing thoroughly and less focus on agile, devops type methodology would have helped. It's a well known fact that Facebook developers work on live production data.
Have a squat over at the hobo house.
He's a bot with a troll starter post, a no life loser who keeps monitoring replies to make sure they last as long as possible.
Is the archive of Zuckerberg's pictures still up somewhere? Every link I have been sent has been devoid of images.
Need any dad jokes?
karma police, ban this man his blatant troll posts, are making me feel ill he's like a first post goatse.
Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.
Seven puppies were harmed during the making of this post.
karma police, ban this man his blatant troll posts, are making me feel ill he's like a first post goatse.
First they came for Michael Kristopeit, but I didn't speak up since I wasn't Michael Kristopeit. Then they came for Michael Kristopeit 2 and 3 and on and on, until, one day, they came for Michael Kristopeit 412, but I didn't speak up, since I wasn't any of those. Then they came for the muslims and the communists and other uncool people, then they came for me, and there was no one left to speak up for me.
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
As Vader said:
Now, I have you in my sights " ..... Zuckerburg.
Get back to your washed out facebook and buy me a bus.
The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.
I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.
That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.
You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.
Here's what you do:
Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)
At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".
Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.
Click on "Edit Settings" to the right of "Apps You Use".
I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.
Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.
Request your free CD of my piano music.
I decided it was real when I saw someone post Zuck's photos.
Now if there were porn photos of Mark Z. Ewwww!
Sorry, but gray text on gray background is making my eyes bleed.
I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.
I have also found versions 100, 200, 300, 400 , and I think 500. I was hoping to find a different pattern to the wonderful banter he provides, but no, just the same format over again. I was truly amazed when I was first trolled by this amazing contributor, but then I found I was just being fed a formulaic troll, with only 3 different patterns of attack, and a few variables to spice up the form. I am not even sure if it isnt a test of a script.
no no no ... these are great fun.
The pictures.
Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.
i'm not sure you isn't a test of a moron.
i'm not sure if you isn't a test of a moron either mate.
To offset political mods, replace Flamebait with Insightful.
> Inconveniently, tiny networks are dubiously useful
Too bad we don't have, like, the ENTIRE BLOODY INTERNET then. It's pretty big, and I've been using it to communicate with people since the mid 1980's.
Oh, I forgot. Facebook is the only way to communicate with your friends and family online. The internet provides no other mechanism for doing so.
Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.
Smaller "Facebooks" doesn't mean that the different nodes wouldn't be able to exchange information. Look at emails, it's decentralized and it works. There is no reasons social networks couldn't work in a similar way.
I refuse to use Facebook because it's centralized and out of our control. I would gladly use an open alternative where I can open my own servers at home or at work.
Do you have a key bound to spell "you're completely pathetic."?
I'm glad you've finally come to your senses.
Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.
Ummm, isn't that where it goes back down to zero?
Thank you sir for making my point for me. Known on the X axis, variable on the Y, etc.
Seven puppies were harmed during the making of this post.
One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.
If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jockstrap appropriate.
That stripper invited me to a party at her place once. There were only three men there, and all manner of incredibly hot young women. It turned out that the lot of them were strippers as well.
Request your free CD of my piano music.
It's silly to expect anything you place on the internet is private
I can't believe he cooked it for dinner!
This is a required feature.. Give it up. Fucknut Co.
Some guy over at Kuro5hin who I know only as modus got the idea that I am some manner of dangerous criminal psychopath because I was so inconsiderate of his easily-wounded feeling to point out that, after two decades of working as a coder, I was weary of the work and wanted to change careers by going back to school to learn how to compose symphonies.
If you look at his comment and diary history at his user info page I linked above, you'll find that the vast majority of them are focussed entirely on me, quite commonly telling all manner of bald-faced lies about me.
He want to all manner of trouble and expense in hopes of making me completely unemployable, by running Google AdWords Select ads that pointed to the rather sarcastic diary I posted in which I requested that my colleagues at Kuro5hin stop giving me crap for not having ever shipped a Free Software product I've been tinkering with over the years. I have always made it crystal-clear that the real value of Ogg Frog was its website, because of its informative articles as well as its opinion pieces, with the Ogg Frog software being meant mainly to attract readers to those articles.
I wrote them all in 2005 and 2006, so I cannot possibly imagine why anyone would have cause to complain. I won't release Ogg Frog because it has some severe bugs in it; because the product is targeted towards naive music fans, I don't want to subject them to the usability problems, crashes, and end-user data loss that are so commonly found in Open Source products that are "Released Early, Released Often".
While I can see the value of having my code inspected by "Many Eyeballs", the two I have are sufficient.
I don't have a problem with some troll being so obsessed with me that he has nothing better to do with his sorry existence than lie about me from the basement of his mother's house.
What I do have a problem with is that this guy devotes vast quantities of effort to discovering where I live or what company I am consulting for. Whenever he is able to figure either of those out, he blasts news of his incredible discovery All Over God's Creation.
For this reason, for a couple of years now I've been very quiet about where I live, and I never, ever mention anywhere who I am working for. When he pointed out that he was following my updates to my resume on my website, I removed my resume entirely then replaced it with a redirect to a general description of my company's consulting services.
He has the idea that he's just being funny in the way so many Internet trolls think they are. If he had not, at this point, kept this crap up for two or three years I might believe him. But by now I feel I really do have reason to be concerned that this crime I committed by pointing out that I want to follow my passion rather than working as a corporate whore anymore is so serious, that if he knew how to physically locate me, he might come after me with a gun.
Don't think I'm just being paranoid. That kind of thing happens All The God Damn Time. I recall as if it were yesterday the incident in which some Silicon Valley engineer for reasons I don't recall brought a gun to work one day and slaughtered seven of his colleagues.
It was at one time possible to obtain personal information from the California Department of Motor Vehicles database. I don't think it was public record, exactly, but somehow some stalker was able to get his victim's home address from the DMV, then showed up at her place and murdered her.
This of course made headlines all over Creation, so now the California DMV database is locked down much more tightly, but I would not be at all surprised if all of the other government databases which have not yet been used to obtain the street address of your next murder victim are not so secure.
In the US, banks, credit card companies and the like use the account holder's mother's maiden name as a form of identification. Given the divorce rate in the state, as wel
Request your free CD of my piano music.
The vast majority of old friends that I want to find again don't have the first clue how to use Google.
While I'm pretty good at "Feeling Lucky" myself, the kind of people who don't know how to use Google also tend not to appear anywhere on the Web under their own real names.
One of my very best friends during my Freshman year of high school was a fellow Roman Soldier in Armijo High School's production of Jesus Christ Superstar. I'm handy with tools, so with the help of Ted and the other tool-handy Roman Soldiers, I supervised the fabrication of all of our spears in my family garage, using my Dad's tools.
Over the summer after that year, Ted totally disappeared. Fell Off The Edge Of The Earth. Left The Building.
I figured that he's moved somewhere and neglected to ever tell me where he moved to. After a while I gave up on ever hearing from one of the very best friends I ever had, ever again in my life.
A couple of years ago I turned Ted up on Facebook. I left the theatre when I graduated from high school, but Ted made theatre his career.
Not long after we Friended each other, Ted invited me to the taping of a TV commercial for one of the big science museums in downtown San Jose, California. I was living in San Jose at the time.
If you ever want to walk right on to a movie or TV set while taping is taking place, just walk right up to the security guard, politely introduce yourself then say "I'm here to see Ted." He'll show you right in. I don't think it really matters whether anyone named Ted is actually present on the production set.
Ted had lost a lot of weight since high school. We used to call him "Little Orange Basketball". He was also a lot taller, as we were both fifteen when we knew each other back then.
Despite the very real Starfleet uniform, green facepaint and pointy prosthetic ears, Ted's very un-Vulcanlike smile was totally unmistakable.
I have all the same objections to Facebook that any rational software engineer - or any rational human being - would have, but if it were not for Facebook, I would never, ever have found my old friend Ted Arabian ever, ever again.
It would be the same for so many of my other friends. There are many that I'm still searching for, but have not yet found. I was once quite stoked to discover that my very best friend from elementary school was the lead actor in a live theatrical production I attended one night, but woe is me, it was not him, he was just using my childhood friend's name as his stage name.
Maybe I can find you a YouTube of The Little Orange Basketball appearing as Commander Spock... damn, I'm not finding it. There are lots of videos of that exhibition online, but I can't find Ted's TV commercial.
I'll drop him a line; if he has a link I'll post it in a followup.
Request your free CD of my piano music.
Point out that fact to all of your Facebook friends.
After I deleted all that Apps from my FB profile, I pointed out what I'd done on my FB wall.
One of my FB Friends immediately replied to thank me for doing so, and told me that it was only because of my advice that she knew to do the same thing for her own profile.
Request your free CD of my piano music.
Why would someone put their ‘private' photos up on the Facebook?
HAHA!
Too bad the Facebook generation already lost the mental capacity to learn from this.
The creep who posted the parent comment is most likely Kuro5hin's modus, who has been stalking me over the Internet for two or three years.
The reason he knows that I am mentally ill is that I devote a great deal of time and effort to educating the public about mental illness, my own as well as that of others.
For some reason that I am as yet unable to fathom, my colleagues at Kuro5hin feel that it is flatly impossible for me to work as a self-employed software engineer, despite the fact that I persisted with coding as a career because I found that it accomodates my condition far better than my original career choice of Physics did.
I was never actually hospitalized for fixating on, threatening or stalking anyone at all.
The single mother with a sick child happens to be one of my oldest and closest friends. I am just about the only real friend that poor woman has ever had in her entire life.
We met in 1986 or so. At the time she introduced herself to me as "Crystal". I had the idea that her nickname was due to her being quite strikingly beautiful and amazingly talented, as well as being one of the most intelligent people I have ever met in my entire life.
A year or so later I happened to refer to her as Crystal, but she asked me not to do so anymore as her nick was short for "Crystal Methamphetamine", to which she was horribly addicted for many years.
She was diagnosed with Attention Deficit Hyperactivity Disorder when she was in high school. I have ADHD too, and so I have to take a completely legal, prescription form of Amphetamine with the brand name of Adderall to have any hope of providing for myself.
I've known a whole lot of drug addicts over the years, and so am quite vividly aware of what would eventually become of me if I ever yielded to the quite tempting impulse to take more than my psychiatrist's recommended dosage of three ten milligram tablets per day.
But because Crystal was, when diagnosed with ADHD, quite addicted to Cocaine, she was completely unable to find a doctor willing to prescribe any manner of stimulant medication for her condition.
There is an antidepressant-like medicine called Strattera that is licensed for ADHD now, but it had not yet been developed when Crystal was in high school.
Despite my never having been addicted to anything, the use of stimulants for the treatment is quite unfairly stigmatized, so I sometimes have trouble obtaining the Adderall which a nationally recognized expert on Adult ADHD was completely convinced I needed to take. This I was on Stattera for a few months earlier this year, but it was not effective in any way whatsoever. I did not notice any effect from it of any sort. I did give it some time to take effect; then my p-doc put me back on Adderall after I complained that if I had to stay on Strattera, I'd be homeless in no time at all.
While I met Crystal at UC Santa Cruz, she had also been accepted to study pre-medicine at Yale, with the intention of becoming a surgeon. At UCSC, she graduated with Thesis Honors in Microbiology.
I've know this poor woman since 1986. She has to be the most fucked-up, miserable dysfunctional human being I have ever met in my whole entire life. Having been in a whole bunch of mental hospitals over the years, I've met quite a few crazy people, but Crystal tops them all.
Crystal knew very well that there was no way she could survive UCSC's Microbiology course, let alone do well in her studies, unless she could get medication for her ADHD. It happens that Methamphetamine works even better than Adderall for ADHD, and in fact is available in prescription form, completely legally. Provided you keep a lid on the dosage, Methamphetamine - the very same chemical compound that Crystal Meth is composed of - really is the best treatment there is for ADHD.
Crystal's family was once quite wealthy, but for reasons I won't go into, things didn't work out well for her father's business
Request your free CD of my piano music.
If all Facebook's users thought like you (and many others here apparently) then Facebook would have no reason whatsoever to safeguard anyone's privacy. That is the reality. Users expect the level of privacy that is described to them, as per the settings that they chose. (We're not talking about advertisers here, we're talking about other users.) And Facebook generally upholds its side of the contract. Why? Because it is afraid of user outcry, of PR disasters, and in the end of regulation. Your attitude gives Facebook a free pass. I just don't understand it. If you don't trust Facebook, don't use it. But this idea that Facebook can and will get away with anything is utterly cynical and gets us nowhere. Please stop.
I have always been clear that I regard coding as the same kind of day job that enables any starving artist to get by as a Batista. It should have been obvious long before Rusty wrote his first line of Perl that it is my writing an music that I regard as my real life's work.
yet whenever I devote any significant attention to either of my passions, the very first response from the vast majority of kurons is that my devotion to my craft is either taking time away from work that I regard as largely pointless, or is evidence of som psychiatric symptom despite me being stone cold sober when I wrote it.
I have moved Heaven and Earth to benefit humanity through my writing since 1980, and my music since 1984. yet so many of you regard me as some kind of moral failure because I don't devote myself to the kind of work whose only substantial benefit to anyone is to make wealthy people far richer than they would be without my contribution.
it's not just me. your own tick on the Mortal Plane will expire before long. as you lay in your deathbed looking back at your life, will you only consider it to be well lived if you met more of your deliverables, or if you met the same objective I meet every day of my life, to ease the agony of those who suffer, or to impart the benefit of your extensive experience to your younger colleagues who struggle to understand the work set out for him.
yesterday some guy asked me to purchase his used train ticket. that's a common scheme here because port lands transit passes are time stamped and so can be used by any number of passenger before the timeout expires.
I sadly informed him that I wascas broke as he was, but spent ten minutes with him so we could get to know each other.
younalready know that when I'm not so broke, panhandlers don't get my spare change but any meal they want atba good restaurant, during which I put even more time into getting to know them.
I bought my first meal for a panhandler in 1984. perhaps you don't show thatbsame kindness to thosevwhonsuffer, but do show show any manner of kindness atvall?
Ricardo Stallman's very first priority is not writing code and never has been. write anything you want to him; you'll be surmised not that you get a responsevat all but the time and care he devoted to his reply. barn striustrup does the same thing.
if you and Richard ever meet in person, ask him for some money. his life's work of changing society does not permit him the time to dine with you as I would, but he will buy you a meal.
I've been struggling for years to understand thevattitudes of people such as yourself towards my life's work. enlighten me, I beg of yup.
Request your free CD of my piano music.
i just don't record it. I vastly prefer live performance. the bulk of my music work is actually theoretical study. to the extent that I play it is to more deeply understand music theory. I have made it clear for many years that I want to learn to compose symphonies. one must understand music theory for that. producing recordings does not do much to advance me towards my musical goals.
it's not so much that I regard buying meals for the poor as my life's work. it is to convince others to do so.
I have been homeless and hungry. the worst part of it is not sleeping out in the cold but being treated by others as if I don't even exist.
even if you don't feed the poor, when someone asks you for money, just politely decline, then introduce yourself, ask for their name, offer to shake their hand, then spend sometime getting to know each other.
you'll quickly find that the poor, mentally I'll and homeless get far more out of genuine human companionship than any amount of food or money.
consider that the very worst punishment that is applied in Americas prisons is not execution but solitary confinement.
Request your free CD of my piano music.
What? For agreeing with you that Failbook is similar to M$ in terms of privacy? Fact : Failbook is in bed with M$.
Fact : M$ also owns the data on Failbook
Fact : Failbook is attacking software developers using imaginary property laws to give M$ a bigger monopoly. All paid for by Failbook l-users
That is the tip of the iceberg for the partnership between Failbook and M$. The FTC needs to investigate the whole deal between M$ and Failbook, revoke corporate charters, then shutdown both Failbook and M$ for numerous privacy violations and for abusing a monopoly. Even non users must deal with less privacy due t0 M$ and Failbook.
Friends don't help friends install M$ junk
Friends do assist M$ addicted friends in committing suicide.