Slashdot Mirror
Facebook Flaw Exposed Private Photos
Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."
Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.
To offset political mods, replace Flamebait with Insightful.
If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.
That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.
You do not have a moral or legal right to do absolutely anything you want.
I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?
It's all related somehow...
"If any question why we died, Tell them because our fathers lied."
I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?
A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg
No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.
A "bodybuilding" forum is reporting one of the biggest Facebook flaw I ever heard of? Or in other word, the biggest anti-geek place is reporting a really geek thing??
What's the world coming to??
Them's fightin' words.
This from the moron who shares his name and address with the entire world.
Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.
Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.
The CB App. What's your 20?
Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.
It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.
Both are true; but not terribly useful for most users.
This flaw in Facebook has been known to the internet since 2009.
I remember there was this one image floating around on 4chan for a while showing people how the flaw worked. All it consisted of was some messing around with the URL, and you could see any person's private images, whether they were on your friend's list or not.
I can't help to think this is why more emphasis on QA and staging changes appropriately and testing thoroughly and less focus on agile, devops type methodology would have helped. It's a well known fact that Facebook developers work on live production data.
Have a squat over at the hobo house.
Is the archive of Zuckerberg's pictures still up somewhere? Every link I have been sent has been devoid of images.
Need any dad jokes?
Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.
Seven puppies were harmed during the making of this post.
The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.
I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.
That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.
You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.
Here's what you do:
Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)
At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".
Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.
Click on "Edit Settings" to the right of "Apps You Use".
I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.
Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.
Request your free CD of my piano music.
I decided it was real when I saw someone post Zuck's photos.
Now if there were porn photos of Mark Z. Ewwww!
Sorry, but gray text on gray background is making my eyes bleed.
I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.
no no no ... these are great fun.
The pictures.
Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.
i'm not sure you isn't a test of a moron.
i'm not sure if you isn't a test of a moron either mate.
To offset political mods, replace Flamebait with Insightful.
proper form mandates that you : 1) print out a copy of your ill-gotten booty, 2) place on a flat surface, like a table, 3) squeeze one off, making sure to land on the picture, 4) take a picture of that , making sure cawk is in frame, 5) post to /b/, 6) lulz
Do you have a key bound to spell "you're completely pathetic."?
Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.
Ummm, isn't that where it goes back down to zero?
Thank you sir for making my point for me. Known on the X axis, variable on the Y, etc.
Seven puppies were harmed during the making of this post.
One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.
If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jockstrap appropriate.
That stripper invited me to a party at her place once. There were only three men there, and all manner of incredibly hot young women. It turned out that the lot of them were strippers as well.
Request your free CD of my piano music.
It's silly to expect anything you place on the internet is private
Some guy over at Kuro5hin who I know only as modus got the idea that I am some manner of dangerous criminal psychopath because I was so inconsiderate of his easily-wounded feeling to point out that, after two decades of working as a coder, I was weary of the work and wanted to change careers by going back to school to learn how to compose symphonies.
If you look at his comment and diary history at his user info page I linked above, you'll find that the vast majority of them are focussed entirely on me, quite commonly telling all manner of bald-faced lies about me.
He want to all manner of trouble and expense in hopes of making me completely unemployable, by running Google AdWords Select ads that pointed to the rather sarcastic diary I posted in which I requested that my colleagues at Kuro5hin stop giving me crap for not having ever shipped a Free Software product I've been tinkering with over the years. I have always made it crystal-clear that the real value of Ogg Frog was its website, because of its informative articles as well as its opinion pieces, with the Ogg Frog software being meant mainly to attract readers to those articles.
I wrote them all in 2005 and 2006, so I cannot possibly imagine why anyone would have cause to complain. I won't release Ogg Frog because it has some severe bugs in it; because the product is targeted towards naive music fans, I don't want to subject them to the usability problems, crashes, and end-user data loss that are so commonly found in Open Source products that are "Released Early, Released Often".
While I can see the value of having my code inspected by "Many Eyeballs", the two I have are sufficient.
I don't have a problem with some troll being so obsessed with me that he has nothing better to do with his sorry existence than lie about me from the basement of his mother's house.
What I do have a problem with is that this guy devotes vast quantities of effort to discovering where I live or what company I am consulting for. Whenever he is able to figure either of those out, he blasts news of his incredible discovery All Over God's Creation.
For this reason, for a couple of years now I've been very quiet about where I live, and I never, ever mention anywhere who I am working for. When he pointed out that he was following my updates to my resume on my website, I removed my resume entirely then replaced it with a redirect to a general description of my company's consulting services.
He has the idea that he's just being funny in the way so many Internet trolls think they are. If he had not, at this point, kept this crap up for two or three years I might believe him. But by now I feel I really do have reason to be concerned that this crime I committed by pointing out that I want to follow my passion rather than working as a corporate whore anymore is so serious, that if he knew how to physically locate me, he might come after me with a gun.
Don't think I'm just being paranoid. That kind of thing happens All The God Damn Time. I recall as if it were yesterday the incident in which some Silicon Valley engineer for reasons I don't recall brought a gun to work one day and slaughtered seven of his colleagues.
It was at one time possible to obtain personal information from the California Department of Motor Vehicles database. I don't think it was public record, exactly, but somehow some stalker was able to get his victim's home address from the DMV, then showed up at her place and murdered her.
This of course made headlines all over Creation, so now the California DMV database is locked down much more tightly, but I would not be at all surprised if all of the other government databases which have not yet been used to obtain the street address of your next murder victim are not so secure.
In the US, banks, credit card companies and the like use the account holder's mother's maiden name as a form of identification. Given the divorce rate in the state, as wel
Request your free CD of my piano music.
The vast majority of old friends that I want to find again don't have the first clue how to use Google.
While I'm pretty good at "Feeling Lucky" myself, the kind of people who don't know how to use Google also tend not to appear anywhere on the Web under their own real names.
One of my very best friends during my Freshman year of high school was a fellow Roman Soldier in Armijo High School's production of Jesus Christ Superstar. I'm handy with tools, so with the help of Ted and the other tool-handy Roman Soldiers, I supervised the fabrication of all of our spears in my family garage, using my Dad's tools.
Over the summer after that year, Ted totally disappeared. Fell Off The Edge Of The Earth. Left The Building.
I figured that he's moved somewhere and neglected to ever tell me where he moved to. After a while I gave up on ever hearing from one of the very best friends I ever had, ever again in my life.
A couple of years ago I turned Ted up on Facebook. I left the theatre when I graduated from high school, but Ted made theatre his career.
Not long after we Friended each other, Ted invited me to the taping of a TV commercial for one of the big science museums in downtown San Jose, California. I was living in San Jose at the time.
If you ever want to walk right on to a movie or TV set while taping is taking place, just walk right up to the security guard, politely introduce yourself then say "I'm here to see Ted." He'll show you right in. I don't think it really matters whether anyone named Ted is actually present on the production set.
Ted had lost a lot of weight since high school. We used to call him "Little Orange Basketball". He was also a lot taller, as we were both fifteen when we knew each other back then.
Despite the very real Starfleet uniform, green facepaint and pointy prosthetic ears, Ted's very un-Vulcanlike smile was totally unmistakable.
I have all the same objections to Facebook that any rational software engineer - or any rational human being - would have, but if it were not for Facebook, I would never, ever have found my old friend Ted Arabian ever, ever again.
It would be the same for so many of my other friends. There are many that I'm still searching for, but have not yet found. I was once quite stoked to discover that my very best friend from elementary school was the lead actor in a live theatrical production I attended one night, but woe is me, it was not him, he was just using my childhood friend's name as his stage name.
Maybe I can find you a YouTube of The Little Orange Basketball appearing as Commander Spock... damn, I'm not finding it. There are lots of videos of that exhibition online, but I can't find Ted's TV commercial.
I'll drop him a line; if he has a link I'll post it in a followup.
Request your free CD of my piano music.
Point out that fact to all of your Facebook friends.
After I deleted all that Apps from my FB profile, I pointed out what I'd done on my FB wall.
One of my FB Friends immediately replied to thank me for doing so, and told me that it was only because of my advice that she knew to do the same thing for her own profile.
Request your free CD of my piano music.
Why would someone put their ‘private' photos up on the Facebook?
If all Facebook's users thought like you (and many others here apparently) then Facebook would have no reason whatsoever to safeguard anyone's privacy. That is the reality. Users expect the level of privacy that is described to them, as per the settings that they chose. (We're not talking about advertisers here, we're talking about other users.) And Facebook generally upholds its side of the contract. Why? Because it is afraid of user outcry, of PR disasters, and in the end of regulation. Your attitude gives Facebook a free pass. I just don't understand it. If you don't trust Facebook, don't use it. But this idea that Facebook can and will get away with anything is utterly cynical and gets us nowhere. Please stop.
See? All that time you spent writing a WALL OF TEXT could have been productively spent getting Warp Life finished.
Hail Eris, full of mischief...
E pluribus sanguinem
I have always been clear that I regard coding as the same kind of day job that enables any starving artist to get by as a Batista. It should have been obvious long before Rusty wrote his first line of Perl that it is my writing an music that I regard as my real life's work.
yet whenever I devote any significant attention to either of my passions, the very first response from the vast majority of kurons is that my devotion to my craft is either taking time away from work that I regard as largely pointless, or is evidence of som psychiatric symptom despite me being stone cold sober when I wrote it.
I have moved Heaven and Earth to benefit humanity through my writing since 1980, and my music since 1984. yet so many of you regard me as some kind of moral failure because I don't devote myself to the kind of work whose only substantial benefit to anyone is to make wealthy people far richer than they would be without my contribution.
it's not just me. your own tick on the Mortal Plane will expire before long. as you lay in your deathbed looking back at your life, will you only consider it to be well lived if you met more of your deliverables, or if you met the same objective I meet every day of my life, to ease the agony of those who suffer, or to impart the benefit of your extensive experience to your younger colleagues who struggle to understand the work set out for him.
yesterday some guy asked me to purchase his used train ticket. that's a common scheme here because port lands transit passes are time stamped and so can be used by any number of passenger before the timeout expires.
I sadly informed him that I wascas broke as he was, but spent ten minutes with him so we could get to know each other.
younalready know that when I'm not so broke, panhandlers don't get my spare change but any meal they want atba good restaurant, during which I put even more time into getting to know them.
I bought my first meal for a panhandler in 1984. perhaps you don't show thatbsame kindness to thosevwhonsuffer, but do show show any manner of kindness atvall?
Ricardo Stallman's very first priority is not writing code and never has been. write anything you want to him; you'll be surmised not that you get a responsevat all but the time and care he devoted to his reply. barn striustrup does the same thing.
if you and Richard ever meet in person, ask him for some money. his life's work of changing society does not permit him the time to dine with you as I would, but he will buy you a meal.
I've been struggling for years to understand thevattitudes of people such as yourself towards my life's work. enlighten me, I beg of yup.
Request your free CD of my piano music.
i just don't record it. I vastly prefer live performance. the bulk of my music work is actually theoretical study. to the extent that I play it is to more deeply understand music theory. I have made it clear for many years that I want to learn to compose symphonies. one must understand music theory for that. producing recordings does not do much to advance me towards my musical goals.
it's not so much that I regard buying meals for the poor as my life's work. it is to convince others to do so.
I have been homeless and hungry. the worst part of it is not sleeping out in the cold but being treated by others as if I don't even exist.
even if you don't feed the poor, when someone asks you for money, just politely decline, then introduce yourself, ask for their name, offer to shake their hand, then spend sometime getting to know each other.
you'll quickly find that the poor, mentally I'll and homeless get far more out of genuine human companionship than any amount of food or money.
consider that the very worst punishment that is applied in Americas prisons is not execution but solitary confinement.
Request your free CD of my piano music.