Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Facebook Privacy Your Rights Online

Facebook Flaw Exposed Private Photos 201

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."
This discussion has been archived. No new comments can be posted.

Facebook Flaw Exposed Private Photos

Comments Filter:
  • Again? (Score:5, Insightful)

    by masternerdguy ( 2468142 ) on Tuesday December 06, 2011 @03:15PM (#38284118)
    Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.
    • Re:Again? (Score:5, Funny)

      by NoNonAlphaCharsHere ( 2201864 ) on Tuesday December 06, 2011 @03:23PM (#38284202)
      Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?
    • Re:Again? (Score:5, Insightful)

      by Anonymous Coward on Tuesday December 06, 2011 @05:34PM (#38285720)

      And no friend of yours uses facebook?
      And no one you ever was in a party with?
      And no one who has your adress in their gmail contact list?

      Facebook is a threat not limited to its users.

      • Slashdot users with RL friends? Who go to parties with them? Resulting in interesting pictures?

        You must be new here. ;-)

    • by tsa ( 15680 )

      Facebook has become the 1990's MS of the 2010's. Every week a new exploit.

    • Re:Again? (Score:4, Insightful)

      by fafaforza ( 248976 ) on Tuesday December 06, 2011 @09:57PM (#38287554)

      If you don't want private stuff to be exposed then don't post it. It's that simple. When you upload/post stuff, you have no control over it. But you can still use Facebook to stay in touch.

    • Re:Again? (Score:4, Funny)

      by beowulfcluster ( 603942 ) on Wednesday December 07, 2011 @02:28AM (#38288662)
      People who don't use Facebook are so superior. Whenever someone says that it reminds me a bit about this: http://www.theonion.com/articles/area-man-constantly-mentioning-he-doesnt-own-a-tel,429/ [theonion.com]

      By the way I of course don't use Facebook.
  • Of course (Score:5, Insightful)

    by Sarten-X ( 1102295 ) on Tuesday December 06, 2011 @03:18PM (#38284144) Homepage

    If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.

    That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

    • Re:Of course (Score:5, Insightful)

      by peragrin ( 659227 ) on Tuesday December 06, 2011 @03:22PM (#38284196)

      Always assume anything on facebook is visible to everyone always. You no longer have any control, it is never deleted, never removed.

      It is why i have never used facebook ever. It isnt worth it. While i do know some has posted pictures of me, those pictures cant truely be linked to me.

      • Re:Of course (Score:5, Insightful)

        by qubezz ( 520511 ) on Wednesday December 07, 2011 @03:11AM (#38288802)

        ... While i do know some has posted pictures of me, those pictures cant truely be linked to me.

        That is, until the other user imports their contact lists with your email addresses and phone numbers into Facebook, and starts tagging pictures of you, and they correlate others's address books with you in them. Then Facebook has a good idea who you are and who your "friends" are without you ever logging in.

    • by geekmux ( 1040042 ) on Tuesday December 06, 2011 @03:24PM (#38284224)

      If you upload something to Facebook, assume anyone can see it...

      Ah, you misspelled Internet.

      • by Abstrackt ( 609015 ) * on Tuesday December 06, 2011 @03:46PM (#38284534)

        If you upload something to Facebook, assume Internet can see it...

        Ah, you misspelled Internet.

        I've taken the liberty of making the correction on your behalf.

        • If you upload something to Internet, assume anyone can see it...

          Ah, you misspelled Internet.

          I've taken the liberty of making the correction on your behalf.

          I think that was the correction he was talking about.

          • by PNutts ( 199112 ) on Tuesday December 06, 2011 @04:20PM (#38284958)

            If you upload pr0n to Internet, make sure I can see it...

            Ah, you misspelled Internet.

            I've taken the liberty of making the correction on your behalf.

            I think that was the correction he was talking about.

            Sorry, it still wasn't right.

    • In other words.
      Rules for civilized public discourse still apply.

      Granted Face Book really needs to fix it privacy and security to be much better. But Facebook is a Social Media site. Meaning information posted is meant to be posted socially.
    • by snowgirl ( 978879 ) on Tuesday December 06, 2011 @03:26PM (#38284256) Journal

      That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

      But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?

      Click here [youtube.com] to visit my private webpage, for my special webpage (Registration, and credit card required)

      • Re:Of course (Score:4, Insightful)

        by Anonymous Coward on Tuesday December 06, 2011 @03:32PM (#38284332)

        (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

        This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

        • by Anonymous Coward on Tuesday December 06, 2011 @03:38PM (#38284412)

          The easy fix, in this case, is to use more tongue. ;p

        • by Anonymous Coward on Tuesday December 06, 2011 @05:37PM (#38285736)

          You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.

          Programmers through process.

          Ok I'm inside a parens.
                  content.
                  more content.
                  smiley
          Ok, I have to close this parens.

          ==
          Normal person's thought process.
          ==

          Ok I'm whispering, so I need to start with a (
          content.
          more content.
          Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)

        • (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

          This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

          Another semantic nugget I wanted to add, is when you use slash to separate two things ("cat/dog"). If an item consists of multiple words, you should cover it in curly brackets so that you know what words the option covers ("cat/{big dog}").

          So technically the sentences "Today I'm going to fix the garage/kitchen door" and "Today I'm going to fix the garage/{kitchen door}" are two different things. In the first one you're either fixing the door of garage or kitchen. In the second one you're either fixing the w

      • Re: (Score:2, Funny)

        by Anonymous Coward

        hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;)

        I just discovered that I assume that everyone on Slashdot is male, and that guys who wear panties for their boyfriend Brian kind of skeeve me out.

        Learn something new every day...

      • Well, of course, if you "perform" professionally at bachelor parties, then perhaps your Facebook page is a marketing tool for your entertainment business. In that case, it should present an image suitable to your profession. If that means insulting your boss to help potential customers identify with you, then so be it.

      • by migla ( 1099771 )

        You're very talented! I haven't seen such classic moves in a while. Cool voice, too.

      • Can I get your number?
      • One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.

        If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jo

      • "Son of a bitch," he cried. And so ends the saga of: "The Last Person On The Face Of The Earth To Be "Rick-Rolled"...
    • If you upload something to Facebook, assume anyone WILL see it.

      FTFY

      Assume the worst. If you want something private, don't tell ANYONE.

    • by izomiac ( 815208 )

      If you upload something to Facebook, assume anyone can see it.

      Personally, I assume that Mark Zuckerberg can see it, if he so chooses, and I trust him less than my least trustworthy friend.

    • Re:Of course (Score:4, Interesting)

      by betterunixthanunix ( 980855 ) on Tuesday December 06, 2011 @04:01PM (#38284694)

      If you upload something to Facebook, assume anyone can see it

      I used to think this, but there are some pretty convincing arguments in The Net Delusion that have caused me to rethink that position. There are a lot of Facebook users, and dissident groups cannot avoid using Facebook to reach people, simply because of the large number of people on Facebook. If Facebook does not take privacy seriously, the risk to dissidents who try to contact their fellow citizens on Facebook will grow.

      The point here is that yes, it is a problem when Facebook unexpectedly opens its users' data to the world against their wishes. There are legitimate reasons why someone might use Facebook but want to keep their account data private.

      • Re:Of course (Score:4, Interesting)

        by Anonymous Coward on Tuesday December 06, 2011 @04:32PM (#38285076)

        Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.

        You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.

    • by Jim Hall ( 2985 )

      If you upload something to Facebook, assume anyone can see it.

      In general, this is true of anything you post on the Internet. I look at it this way: try to avoid posting things on Facebook, Twitter, Google+, Slashdot, Flickr, or any other site, that you might be embarrassed for a family member to see, or a future potential employer. If it's on the Internet, assume anyone can see it.

      My immediate personal response to this Facebook flaw: ohmigosh! Then I remembered that my photos are pretty much my cats, work we've done on the house, flowers, speakers at events, and simil

  • Interesting (Score:3, Interesting)

    by koan ( 80826 ) on Tuesday December 06, 2011 @03:18PM (#38284154)

    I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?

    It's all related somehow...

  • by Ecuador ( 740021 ) on Tuesday December 06, 2011 @03:21PM (#38284188) Homepage

    I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
    So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

    • by interval1066 ( 668936 ) on Tuesday December 06, 2011 @03:47PM (#38284540) Journal
      This flaw has been exploited for months by the likes of 4chan.org/b/, and others. I'm surprised it took this long to get out.
      • by jd ( 1658 )

        It didn't. It took that long for the "popular bodybuilding forum" to archive those pictures guaranteed to improve its popularity.

      • I was wondering about that. Whether the summary was correct in that Facebook worked quickly to fix it because the exploit spread across the Internet, or if it was because someone posted Zuckerberg's private pictures.
        • I shouldn't ask this; I'm a little curious to know what the nature of Zuckerberg's private pictures might have been.
    • Definitely real (Score:2, Informative)

      by Anonymous Coward

      I decided it was real when I saw someone post Zuck's photos [imgur.com].

      • If ever I thought there was a link that would go to goatse, that was it. But, no, the photos are of Zuckerberg fully clothed. Not mounting a goat or anything along those lines.

  • Private pictures? (Score:5, Interesting)

    by gmuslera ( 3436 ) * on Tuesday December 06, 2011 @03:23PM (#38284208) Homepage Journal
    Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?
    • by blair1q ( 305137 ) on Tuesday December 06, 2011 @03:27PM (#38284272) Journal

      Then I'm guilty of not wanting people to be jealous of my naked body.

    • Re:Private pictures? (Score:4, Informative)

      by hellkyng ( 1920978 ) on Tuesday December 06, 2011 @03:33PM (#38284350)

      "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Eric Schmidt

      Not quite... but close.

      • BTW if you want to google that you might be surprised at how hard that is to find, try this "google ceo privacy quote"

    • There are two kinds of people in the world.

      Those who dark secrets tend to be they type that might be revealed over the internet, and those whose aren't.

    • by Sir_Eptishous ( 873977 ) on Tuesday December 06, 2011 @05:38PM (#38285750)
      The Canadian privacy expert David Flaherty expresses a similar idea when he argues: "There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes' questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters."
    • Some guy over at Kuro5hin who I know only as modus [kuro5hin.org] got the idea that I am some manner of dangerous criminal psychopath because I was so inconsiderate of his easily-wounded feeling to point out that, after two decades of working as a coder, I was weary of the work and wanted to change careers by going back to school to learn how to compose symphonies.

      If you look at his comment and diary history at his user info page I linked above, you'll find that the vast majority of them are focussed entirely on me, quite

  • by Anonymous Coward on Tuesday December 06, 2011 @03:24PM (#38284222)

    A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg

    No Mark,
    The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
    Yours Sincerely,
    Creep.

  • by bennomatic ( 691188 ) on Tuesday December 06, 2011 @03:31PM (#38284320) Homepage
    Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

    Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.
    • don't share stuff on Facebook.

      No real comment, I just thought this deserves repeating.

    • by jd ( 1658 )

      Regulating social network software might actually be a good idea. Not as in restricting content, but as in requiring certain standards to be met. Like it or not, we live in a connected world where information is shared, collated and mined. Errors in that data are next to impossible to correct because they spread faster than you can correct them. In the absence of data privacy laws, it is essential that the calibre of software be such that inappropriate access is kept to an absolute minimum.

      Having said that,

      • by lgw ( 121541 )

        From what I hear from friends who have recently interviewed at Facebook, right now there are apparantly banners hung on the walls in the Facebook offices that say "Don't test, just ship." Every developer has the power to push code to production.

        There's considerable space for improvement in quality here before getting to some sort of certification program; for example "a social network should have some QA, more than none" seems like it would be an improvement.

    • In Europe we have a thing called data protection. Organisations who monger personal information have a legal obligation to protect it. Facebook are not exempt. Social networks are already regulated in the advanced world.
      • Why u h8 America?
        • I don't hate America, I've had some lovely holidays there (except for that one time in New York when they blew up the WTC) and some of my best friends are Americans. I do hate America's lack of data protection legislation, dangerous gun laws, propensity to vote oil industry shills into power, desire to market dangerous food to the rest of the world, and one or two other things, but nowhere's perfect. Not a reason not to call out the bad parts when you see em though.
      • by Jorl17 ( 1716772 )
        Seconded. We might suck at many things, but we are starting to drive technology forward instead of being driven by it.
    • by hey! ( 33014 )

      Sure, but it helps to have a system that is designed from the ground up with privacy in mind, rather than having it bolted on when people scream bloody murder.

      • Yes, but I don't think there's a single active social network which was designed from the ground up with privacy in mind. Hell, even the most carefully designed network is only as well controlled as its participants. The moment I share something with you, you can share that with the world. Even if copying and pasting isn't possible, you could take a screen shot of any comments I make and post them anywhere.

        I was thinking of designing a p2p social network as a thought exercise. Such a network would re
        • by hey! ( 33014 )

          You have to assume that things will slip through of course.

          This particular bug could easily have been prevented by making all object requests pass through a layer that implements some form of mandatory access control. But given this story it's obvious there's no such layer in Facebook, and it's up to the developers to bake uniform security policies into every feature they implement. This is a problem that following the DRY principle would have prevented.

          But this kind of thing happen all the time in software

  • by MichaelCrawford ( 610140 ) on Tuesday December 06, 2011 @04:03PM (#38284736) Homepage Journal

    The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

    I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

    That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

    You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

    Here's what you do:

    Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

    At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

    Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

    Click on "Edit Settings" to the right of "Apps You Use".

    I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

    Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

    • You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data

      Anyone who is unaware of that fact clearly does not understand Facebook's business model.

      • Point out that fact to all of your Facebook friends.

        After I deleted all that Apps from my FB profile, I pointed out what I'd done on my FB wall.

        One of my FB Friends immediately replied to thank me for doing so, and told me that it was only because of my advice that she knew to do the same thing for her own profile.

  • Now if there were porn photos of Mark Z. Ewwww!
  • by matthaak ( 707485 ) on Tuesday December 06, 2011 @04:07PM (#38284788) Homepage Journal
    I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.
  • The pictures (Score:5, Interesting)

    by slasho81 ( 455509 ) on Tuesday December 06, 2011 @04:12PM (#38284868)
    The pictures. [imgur.com]
  • by dmomo ( 256005 ) on Tuesday December 06, 2011 @04:13PM (#38284874)

    Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

Pascal is not a high-level language. -- Steven Feiner

Working...