Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Flaw Exposed Private Photos

Posted by Soulskill on from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

34 of 201 comments (clear)

  1. Again? by masternerdguy · · Score: 5, Insightful

    Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:Again? by NoNonAlphaCharsHere · · Score: 5, Funny

      Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?

    2. Re:Again? by Anonymous Coward · · Score: 4, Funny

      Any day now it might be the Year of the Linux Desktop (tm).

    3. Re:Again? by CodeReign · · Score: 4, Funny

      I'm still waiting for the era of Solaris workstation

    4. Re:Again? by Anonymous Coward · · Score: 5, Insightful

      And no friend of yours uses facebook?
      And no one you ever was in a party with?
      And no one who has your adress in their gmail contact list?

      Facebook is a threat not limited to its users.

    5. Re:Again? by bronney · · Score: 4, Insightful

      Oh you missed the fun part brother. It's not whether you post it, it's I post you on it. You can't stop it, you can't delete it.

  2. Of course by Sarten-X · · Score: 5, Insightful

    If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.

    That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

    --
    You do not have a moral or legal right to do absolutely anything you want.
    1. Re:Of course by peragrin · · Score: 4, Insightful

      Always assume anything on facebook is visible to everyone always. You no longer have any control, it is never deleted, never removed.

      It is why i have never used facebook ever. It isnt worth it. While i do know some has posted pictures of me, those pictures cant truely be linked to me.

      --
      i thought once I was found, but it was only a dream.
    2. Re:Of course by geekmux · · Score: 5, Funny

      If you upload something to Facebook, assume anyone can see it...

      Ah, you misspelled Internet.

    3. Re:Of course by snowgirl · · Score: 5, Funny

      That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

      But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?

      Click here to visit my private webpage, for my special webpage (Registration, and credit card required)

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    4. Re:Of course by Anonymous Coward · · Score: 4, Insightful

      (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

      This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

    5. Re:Of course by Anonymous Coward · · Score: 4, Funny

      The easy fix, in this case, is to use more tongue. ;p

    6. Re:Of course by forkfail · · Score: 5, Funny

      You do understand that these forums are often frequented by folks who have forgotten more about computer security that most folks will learn during the course of their entire lives?

      --
      Check your premises.
    7. Re:Of course by Abstrackt · · Score: 5, Funny

      If you upload something to Facebook, assume Internet can see it...

      Ah, you misspelled Internet.

      I've taken the liberty of making the correction on your behalf.

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    8. Re:Of course by Gaygirlie · · Score: 4, Funny

      That's what she said.

    9. Re:Of course by Anonymous Coward · · Score: 4, Interesting

      Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.

      You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.

    10. Re:Of course by Anonymous Coward · · Score: 5, Funny

      You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.

      Programmers through process.

      Ok I'm inside a parens.
              content.
              more content.
              smiley
      Ok, I have to close this parens.

      ==
      Normal person's thought process.
      ==

      Ok I'm whispering, so I need to start with a (
      content.
      more content.
      Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)

    11. Re:Of course by qubezz · · Score: 4, Insightful

      ... While i do know some has posted pictures of me, those pictures cant truely be linked to me.

      That is, until the other user imports their contact lists with your email addresses and phone numbers into Facebook, and starts tagging pictures of you, and they correlate others's address books with you in them. Then Facebook has a good idea who you are and who your "friends" are without you ever logging in.

  3. Surprised this is real. by Ecuador · · Score: 4, Interesting

    I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
    So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    1. Re:Surprised this is real. by interval1066 · · Score: 4, Interesting

      This flaw has been exploited for months by the likes of 4chan.org/b/, and others. I'm surprised it took this long to get out.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  4. Private pictures? by gmuslera · · Score: 5, Interesting

    Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?

    1. Re:Private pictures? by blair1q · · Score: 4, Funny

      Then I'm guilty of not wanting people to be jealous of my naked body.

    2. Re:Private pictures? by Sir_Eptishous · · Score: 4, Insightful

      The Canadian privacy expert David Flaherty expresses a similar idea when he argues: "There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes' questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters."

      --
      We play the game with the bravery of being out of range
  5. thank you mark. by Anonymous Coward · · Score: 5, Funny

    A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg

    No Mark,
    The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
    Yours Sincerely,
    Creep.

  6. A bug? In software? OH MY! by bennomatic · · Score: 5, Insightful

    Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

    Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

    --
    The CB App. What's your 20?
  7. Re:you can't trust 3rd parties with private info by fuzzyfuzzyfungus · · Score: 4, Insightful

    Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

    It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.

    Both are true; but not terribly useful for most users.

  8. Did You Really Authorize All Those FB Apps? by MichaelCrawford · · Score: 4, Informative

    The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

    I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

    That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

    You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

    Here's what you do:

    Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

    At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

    Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

    Click on "Edit Settings" to the right of "Apps You Use".

    I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

    Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

    --
    Request your free CD of my piano music.
  9. Surprisingly weak architecture by matthaak · · Score: 5, Insightful

    I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.

  10. The pictures by slasho81 · · Score: 5, Interesting

    The pictures.

  11. Regardless of THIS flaw by dmomo · · Score: 5, Informative

    Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

    1. Re:Regardless of THIS flaw by Anonymous Coward · · Score: 5, Informative

      In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

      So creeps, grab those URLs from your cache while you can.

    2. Re:Regardless of THIS flaw by dmomo · · Score: 4, Informative

      Yeah. And if for some reason, you share it to someone.. and they post it anywhere, and google pics up the url, forget it:
      https://www.google.com/search?q=a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7&oe=utf-8um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi

      You can also run a search for partial image names through the google image search api using facebook known static content servers.

    3. Re:Regardless of THIS flaw by blackraven14250 · · Score: 4, Informative

      This has nothing to do with DNS. When an image is "removed" from Facebook, the image is left on the server. The URL is something like this: http://a3.sphotos.ak.fbcdn.net/ . Using the rest of the url, you can always access the image because they're not changing around which servers are assigned which names.

    4. Re:Regardless of THIS flaw by ShaunC · · Score: 5, Interesting

      If the deleted content is still there a week or more later, then you've got problems.

      We're talking about Facebook here. The content is never deleted, and that's by design.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!