Facebook Flaw Exposed Private Photos

← Back to Stories (view on slashdot.org)

Facebook Flaw Exposed Private Photos

Posted by Soulskill on Tuesday December 6, 2011 @08:14AM from the somebody's-having-a-bad-day-at-the-office dept.

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

17 of 201 comments (clear)

Min score:

Reason:

Sort:

Again? by masternerdguy · 2011-12-06 08:15 · Score: 5, Insightful

Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.

--
To offset political mods, replace Flamebait with Insightful.
1. Re:Again? by NoNonAlphaCharsHere · 2011-12-06 08:23 · Score: 5, Funny
  
  Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?
2. Re:Again? by Anonymous Coward · 2011-12-06 10:34 · Score: 5, Insightful
  
  And no friend of yours uses facebook?
  And no one you ever was in a party with?
  And no one who has your adress in their gmail contact list?
  Facebook is a threat not limited to its users.
Of course by Sarten-X · 2011-12-06 08:18 · Score: 5, Insightful

If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.
That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

--
You do not have a moral or legal right to do absolutely anything you want.
1. Re:Of course by geekmux · 2011-12-06 08:24 · Score: 5, Funny
  
  If you upload something to Facebook, assume anyone can see it...
  Ah, you misspelled Internet.
2. Re:Of course by snowgirl · 2011-12-06 08:26 · Score: 5, Funny
  
  That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.
  But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?
  Click here to visit my private webpage, for my special webpage (Registration, and credit card required)
  
  --
  WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
3. Re:Of course by forkfail · 2011-12-06 08:41 · Score: 5, Funny
  
  You do understand that these forums are often frequented by folks who have forgotten more about computer security that most folks will learn during the course of their entire lives?
  
  --
  Check your premises.
4. Re:Of course by Abstrackt · 2011-12-06 08:46 · Score: 5, Funny
  
  If you upload something to Facebook, assume Internet can see it...
  Ah, you misspelled Internet.
  I've taken the liberty of making the correction on your behalf.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
5. Re:Of course by Anonymous Coward · 2011-12-06 10:37 · Score: 5, Funny
  
  You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.
  Programmers through process.
  Ok I'm inside a parens.
  content.
  more content.
  smiley
  Ok, I have to close this parens.
  ==
  Normal person's thought process.
  ==
  Ok I'm whispering, so I need to start with a (
  content.
  more content.
  Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)
Private pictures? by gmuslera · 2011-12-06 08:23 · Score: 5, Interesting

Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?
thank you mark. by Anonymous Coward · 2011-12-06 08:24 · Score: 5, Funny

A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg
No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.
A bug? In software? OH MY! by bennomatic · 2011-12-06 08:31 · Score: 5, Insightful

Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

--
The CB App. What's your 20?
Surprisingly weak architecture by matthaak · 2011-12-06 09:07 · Score: 5, Insightful

I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.
The pictures by slasho81 · 2011-12-06 09:12 · Score: 5, Interesting

The pictures.
Regardless of THIS flaw by dmomo · 2011-12-06 09:13 · Score: 5, Informative

Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.
1. Re:Regardless of THIS flaw by Anonymous Coward · 2011-12-06 09:35 · Score: 5, Informative
  
  In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.
  
  So creeps, grab those URLs from your cache while you can.
2. Re:Regardless of THIS flaw by ShaunC · 2011-12-06 10:35 · Score: 5, Interesting
  
  If the deleted content is still there a week or more later, then you've got problems.
  We're talking about Facebook here. The content is never deleted, and that's by design.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!