Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Flaw Exposed Private Photos

Posted by Soulskill on from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

2 of 201 comments (clear)

  1. Regardless of THIS flaw by dmomo · · Score: 5, Informative

    Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

    1. Re:Regardless of THIS flaw by Anonymous Coward · · Score: 5, Informative

      In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

      So creeps, grab those URLs from your cache while you can.