Facebook Flaw Exposed Private Photos

← Back to Stories (view on slashdot.org)

Facebook Flaw Exposed Private Photos

Posted by Soulskill on Tuesday December 6, 2011 @08:14AM from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

54 of 201 comments (clear)

Min score:

Reason:

Sort:

Again? by masternerdguy · 2011-12-06 08:15 · Score: 5, Insightful

Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.

--
To offset political mods, replace Flamebait with Insightful.
1. Re:Again? by NoNonAlphaCharsHere · 2011-12-06 08:23 · Score: 5, Funny
  
  Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?
2. Re:Again? by fuzzyfuzzyfungus · 2011-12-06 08:30 · Score: 3, Insightful
  
  Cloud computing is all the rage these days. All proactive managers are moving their egregious vulnerabilities into the cloud, so it is only fair that tech journalism follow suit...
3. Re:Again? by Anonymous Coward · 2011-12-06 08:57 · Score: 3, Funny
  
  I can't wait for it to be "horrifying security hole in Linux" twice a day. That should be a lolfest.
  Any day now, Linux should be crawling with viruses.
  Any day now.
4. Re:Again? by Anonymous Coward · 2011-12-06 09:02 · Score: 4, Funny
  
  Any day now it might be the Year of the Linux Desktop (tm).
5. Re:Again? by CodeReign · 2011-12-06 10:13 · Score: 4, Funny
  
  I'm still waiting for the era of Solaris workstation
6. Re:Again? by Anonymous Coward · 2011-12-06 10:34 · Score: 5, Insightful
  
  And no friend of yours uses facebook?
  And no one you ever was in a party with?
  And no one who has your adress in their gmail contact list?
  Facebook is a threat not limited to its users.
7. Re:Again? by Anonymous Coward · 2011-12-06 11:07 · Score: 3, Insightful
  
  To you. It's a troll to anybody who's tired of seeing this trotted out every time there's a story that can be even vaguely linked.
8. Re:Again? by fafaforza · 2011-12-06 14:57 · Score: 3, Insightful
  
  If you don't want private stuff to be exposed then don't post it. It's that simple. When you upload/post stuff, you have no control over it. But you can still use Facebook to stay in touch.
9. Re:Again? by beowulfcluster · 2011-12-06 19:28 · Score: 3, Funny
  
  People who don't use Facebook are so superior. Whenever someone says that it reminds me a bit about this: http://www.theonion.com/articles/area-man-constantly-mentioning-he-doesnt-own-a-tel,429/
  
  By the way I of course don't use Facebook.
10. Re:Again? by bronney · 2011-12-06 20:39 · Score: 4, Insightful
  
  Oh you missed the fun part brother. It's not whether you post it, it's I post you on it. You can't stop it, you can't delete it.
Of course by Sarten-X · 2011-12-06 08:18 · Score: 5, Insightful

If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.
That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

--
You do not have a moral or legal right to do absolutely anything you want.
1. Re:Of course by peragrin · 2011-12-06 08:22 · Score: 4, Insightful
  
  Always assume anything on facebook is visible to everyone always. You no longer have any control, it is never deleted, never removed.
  It is why i have never used facebook ever. It isnt worth it. While i do know some has posted pictures of me, those pictures cant truely be linked to me.
  
  --
  i thought once I was found, but it was only a dream.
2. Re:Of course by geekmux · 2011-12-06 08:24 · Score: 5, Funny
  
  If you upload something to Facebook, assume anyone can see it...
  Ah, you misspelled Internet.
3. Re:Of course by jellomizer · 2011-12-06 08:25 · Score: 2
  
  In other words.
  Rules for civilized public discourse still apply.
  
  Granted Face Book really needs to fix it privacy and security to be much better. But Facebook is a Social Media site. Meaning information posted is meant to be posted socially.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
4. Re:Of course by snowgirl · 2011-12-06 08:26 · Score: 5, Funny
  
  That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.
  But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?
  Click here to visit my private webpage, for my special webpage (Registration, and credit card required)
  
  --
  WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
5. Re:Of course by Anonymous Coward · 2011-12-06 08:32 · Score: 4, Insightful
  
  (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )
  
  This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.
6. Re:Of course by Anonymous Coward · 2011-12-06 08:38 · Score: 4, Funny
  
  The easy fix, in this case, is to use more tongue. ;p
7. Re:Of course by Anonymous Coward · 2011-12-06 08:39 · Score: 2, Funny
  
  hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;)
  I just discovered that I assume that everyone on Slashdot is male, and that guys who wear panties for their boyfriend Brian kind of skeeve me out.
  Learn something new every day...
8. Re:Of course by Archangel+Michael · 2011-12-06 08:39 · Score: 2
  
  If you upload something to Facebook, assume anyone WILL see it.
  FTFY
  Assume the worst. If you want something private, don't tell ANYONE.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
9. Re:Of course by forkfail · 2011-12-06 08:41 · Score: 5, Funny
  
  You do understand that these forums are often frequented by folks who have forgotten more about computer security that most folks will learn during the course of their entire lives?
  
  --
  Check your premises.
10. Re:Of course by izomiac · 2011-12-06 08:45 · Score: 2
  
  If you upload something to Facebook, assume anyone can see it.
  Personally, I assume that Mark Zuckerberg can see it, if he so chooses, and I trust him less than my least trustworthy friend.
11. Re:Of course by Abstrackt · 2011-12-06 08:46 · Score: 5, Funny
  
  If you upload something to Facebook, assume Internet can see it...
  Ah, you misspelled Internet.
  I've taken the liberty of making the correction on your behalf.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
12. Re:Of course by Baloroth · 2011-12-06 08:53 · Score: 2
  
  I can probably guess it: 772-257-4501
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
13. Re:Of course by betterunixthanunix · 2011-12-06 09:01 · Score: 3, Interesting
  
  If you upload something to Facebook, assume anyone can see it
  I used to think this, but there are some pretty convincing arguments in The Net Delusion that have caused me to rethink that position. There are a lot of Facebook users, and dissident groups cannot avoid using Facebook to reach people, simply because of the large number of people on Facebook. If Facebook does not take privacy seriously, the risk to dissidents who try to contact their fellow citizens on Facebook will grow.
  
  The point here is that yes, it is a problem when Facebook unexpectedly opens its users' data to the world against their wishes. There are legitimate reasons why someone might use Facebook but want to keep their account data private.
  
  --
  Palm trees and 8
14. Re:Of course by PNutts · 2011-12-06 09:20 · Score: 3, Funny
  
  If you upload pr0n to Internet, make sure I can see it...
  Ah, you misspelled Internet.
  I've taken the liberty of making the correction on your behalf.
  I think that was the correction he was talking about.
  Sorry, it still wasn't right.
15. Re:Of course by Gaygirlie · 2011-12-06 09:29 · Score: 4, Funny
  
  That's what she said.
16. Re:Of course by Anonymous Coward · 2011-12-06 09:32 · Score: 4, Interesting
  
  Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.
  You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.
17. Re:Of course by Jim+Hall · 2011-12-06 09:50 · Score: 2
  
  If you upload something to Facebook, assume anyone can see it.
  In general, this is true of anything you post on the Internet. I look at it this way: try to avoid posting things on Facebook, Twitter, Google+, Slashdot, Flickr, or any other site, that you might be embarrassed for a family member to see, or a future potential employer. If it's on the Internet, assume anyone can see it.
  My immediate personal response to this Facebook flaw: ohmigosh! Then I remembered that my photos are pretty much my cats, work we've done on the house, flowers, speakers at events, and similar stuff. I may have them marked "private" but not that big a deal if this flaw exposed them.
  I recognize that I am a minority of Facebook users, however.
18. Re:Of course by Anonymous Coward · 2011-12-06 10:37 · Score: 5, Funny
  
  You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.
  Programmers through process.
  Ok I'm inside a parens.
  content.
  more content.
  smiley
  Ok, I have to close this parens.
  ==
  Normal person's thought process.
  ==
  Ok I'm whispering, so I need to start with a (
  content.
  more content.
  Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)
19. Re:Of course by qubezz · 2011-12-06 20:11 · Score: 4, Insightful
  
  ... While i do know some has posted pictures of me, those pictures cant truely be linked to me.
  That is, until the other user imports their contact lists with your email addresses and phone numbers into Facebook, and starts tagging pictures of you, and they correlate others's address books with you in them. Then Facebook has a good idea who you are and who your "friends" are without you ever logging in.
20. Re:Of course by Pope · 2011-12-07 03:31 · Score: 2
  
  User name/post combo of the day!
  
  --
  It doesn't mean much now, it's built for the future.
Interesting by koan · 2011-12-06 08:18 · Score: 3, Interesting

I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?
It's all related somehow...

--
"If any question why we died, Tell them because our fathers lied."
Surprised this is real. by Ecuador · 2011-12-06 08:21 · Score: 4, Interesting

I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

--
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
1. Re:Surprised this is real. by interval1066 · 2011-12-06 08:47 · Score: 4, Interesting
  
  This flaw has been exploited for months by the likes of 4chan.org/b/, and others. I'm surprised it took this long to get out.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
2. Re:Surprised this is real. by jd · 2011-12-06 09:02 · Score: 2
  
  It didn't. It took that long for the "popular bodybuilding forum" to archive those pictures guaranteed to improve its popularity.
  
  --
  It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Private pictures? by gmuslera · 2011-12-06 08:23 · Score: 5, Interesting

Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?
1. Re:Private pictures? by blair1q · 2011-12-06 08:27 · Score: 4, Funny
  
  Then I'm guilty of not wanting people to be jealous of my naked body.
2. Re:Private pictures? by hellkyng · 2011-12-06 08:33 · Score: 3, Informative
  
  "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Eric Schmidt
  Not quite... but close.
3. Re:Private pictures? by Sir_Eptishous · 2011-12-06 10:38 · Score: 4, Insightful
  
  The Canadian privacy expert David Flaherty expresses a similar idea when he argues: "There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes' questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters."
  
  --
  We play the game with the bravery of being out of range
thank you mark. by Anonymous Coward · 2011-12-06 08:24 · Score: 5, Funny

A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg
No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.
A bug? In software? OH MY! by bennomatic · 2011-12-06 08:31 · Score: 5, Insightful

Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

--
The CB App. What's your 20?
1. Re:A bug? In software? OH MY! by hey! · 2011-12-06 14:35 · Score: 2
  
  You have to assume that things will slip through of course.
  This particular bug could easily have been prevented by making all object requests pass through a layer that implements some form of mandatory access control. But given this story it's obvious there's no such layer in Facebook, and it's up to the developers to bake uniform security policies into every feature they implement. This is a problem that following the DRY principle would have prevented.
  But this kind of thing happen all the time in software. Some architectural shortcomings don't bite you until you've got a successful product that needs to be maintained. If you had a choice of course you'd do everything perfectly right out of the gate, but if you can't then you want to address the problems that stand in the way of success. Obviously privacy shortcomings haven't hurt Facebook that much, certainly not as much as failing to scale their system extremely rapidly, which was a remarkable technical success which enabled a remarkable business success.
  But Facebook still stinks.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Re:you can't trust 3rd parties with private info by fuzzyfuzzyfungus · 2011-12-06 08:33 · Score: 4, Insightful

Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.

Both are true; but not terribly useful for most users.
Did You Really Authorize All Those FB Apps? by MichaelCrawford · 2011-12-06 09:03 · Score: 4, Informative

The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.
I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.
That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.
You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.
Here's what you do:
Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)
At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".
Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.
Click on "Edit Settings" to the right of "Apps You Use".
I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.
Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

--
Request your free CD of my piano music.
Definitely real by Anonymous Coward · 2011-12-06 09:04 · Score: 2, Informative

I decided it was real when I saw someone post Zuck's photos.
1. Re:Definitely real by Bill+Dimm · 2011-12-06 09:16 · Score: 2
  
  If ever I thought there was a link that would go to goatse, that was it. But, no, the photos are of Zuckerberg fully clothed. Not mounting a goat or anything along those lines.
Surprisingly weak architecture by matthaak · 2011-12-06 09:07 · Score: 5, Insightful

I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.
The pictures by slasho81 · 2011-12-06 09:12 · Score: 5, Interesting

The pictures.
Regardless of THIS flaw by dmomo · 2011-12-06 09:13 · Score: 5, Informative

Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.
1. Re:Regardless of THIS flaw by Anonymous Coward · 2011-12-06 09:35 · Score: 5, Informative
  
  In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.
  
  So creeps, grab those URLs from your cache while you can.
2. Re:Regardless of THIS flaw by dmomo · 2011-12-06 09:45 · Score: 4, Informative
  
  Yeah. And if for some reason, you share it to someone.. and they post it anywhere, and google pics up the url, forget it:
  https://www.google.com/search?q=a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7&oe=utf-8um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi
  You can also run a search for partial image names through the google image search api using facebook known static content servers.
3. Re:Regardless of THIS flaw by blackraven14250 · 2011-12-06 10:23 · Score: 4, Informative
  
  This has nothing to do with DNS. When an image is "removed" from Facebook, the image is left on the server. The URL is something like this: http://a3.sphotos.ak.fbcdn.net/ . Using the rest of the url, you can always access the image because they're not changing around which servers are assigned which names.
4. Re:Regardless of THIS flaw by ShaunC · 2011-12-06 10:35 · Score: 5, Interesting
  
  If the deleted content is still there a week or more later, then you've got problems.
  We're talking about Facebook here. The content is never deleted, and that's by design.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!