Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Flaw Exposed Private Photos

Posted by Soulskill on from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

8 of 201 comments (clear)

  1. Re:Private pictures? by hellkyng · · Score: 3, Informative

    "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Eric Schmidt

    Not quite... but close.

  2. Did You Really Authorize All Those FB Apps? by MichaelCrawford · · Score: 4, Informative

    The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

    I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

    That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

    You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

    Here's what you do:

    Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

    At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

    Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

    Click on "Edit Settings" to the right of "Apps You Use".

    I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

    Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

    --
    Request your free CD of my piano music.
  3. Definitely real by Anonymous Coward · · Score: 2, Informative

    I decided it was real when I saw someone post Zuck's photos.

  4. Regardless of THIS flaw by dmomo · · Score: 5, Informative

    Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

    1. Re:Regardless of THIS flaw by Anonymous Coward · · Score: 5, Informative

      In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

      So creeps, grab those URLs from your cache while you can.

    2. Re:Regardless of THIS flaw by dmomo · · Score: 4, Informative

      Yeah. And if for some reason, you share it to someone.. and they post it anywhere, and google pics up the url, forget it:
      https://www.google.com/search?q=a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7&oe=utf-8um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi

      You can also run a search for partial image names through the google image search api using facebook known static content servers.

    3. Re:Regardless of THIS flaw by blackraven14250 · · Score: 4, Informative

      This has nothing to do with DNS. When an image is "removed" from Facebook, the image is left on the server. The URL is something like this: http://a3.sphotos.ak.fbcdn.net/ . Using the rest of the url, you can always access the image because they're not changing around which servers are assigned which names.

  5. Some of my best friends are strippers by MichaelCrawford · · Score: 1, Informative

    One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.

    If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jockstrap appropriate.

    That stripper invited me to a party at her place once. There were only three men there, and all manner of incredibly hot young women. It turned out that the lot of them were strippers as well.

    --
    Request your free CD of my piano music.