Facebook Flaw Exposed Private Photos

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

Again?

[masternerdguy]

Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.

Re:Again?

[NoNonAlphaCharsHere]

Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?

Re:Again?

[fuzzyfuzzyfungus]

Cloud computing is all the rage these days. All proactive managers are moving their egregious vulnerabilities into the cloud, so it is only fair that tech journalism follow suit...

Re:

[Anonymous Coward]

I can't wait for it to be "horrifying security hole in Linux" twice a day. That should be a lolfest.

Any day now, Linux should be crawling with viruses.

Any day now.

Re:Again?

[Anonymous Coward]

Any day now it might be the Year of the Linux Desktop (tm).

Re:Again?

[CodeReign]

I'm still waiting for the era of Solaris workstation

Re:

[Bucky24]

Who modded this troll? It's funny.

Re:

[Anonymous Coward]

To you. It's a troll to anybody who's tired of seeing this trotted out every time there's a story that can be even vaguely linked.

Re:Again?

[Anonymous Coward]

And no friend of yours uses facebook?
And no one you ever was in a party with?
And no one who has your adress in their gmail contact list?

Facebook is a threat not limited to its users.

Re:

[inglorion_on_the_net]

Slashdot users with RL friends? Who go to parties with them? Resulting in interesting pictures?

You must be new here. ;-)

Re:

[alanshot]

OH MY GOD! You mean someone might just see a photo of my dog? STOP THE PRESSES, MY PRIVACY HAS BEEN RAPED.

The Facebook "threat" to privacy is overblown. I've got a Facebook account. I hardly use it, and don't really have much there. The pictures of me that ARE there are just fishing trip pictures posted by other people. Why the hell should I care who can see them?

So you dont care that FB harvests PII (personally identifiable info) from your freinds and can add more info to your account than you wish to surrender to them yourself?

While some of the privacy issues are overblown, there are some disturbing trends. One other fun one is "shadow profiles".

Supposedly FB is compiling the info they harvest from your freinds' contact lists and "creating" profiles for people who arent on FB yet.

For example, your coworker "Bob" isnt on facebook. You are, as well as a dozen or so

Re:

[tsa]

Facebook has become the 1990's MS of the 2010's. Every week a new exploit.

Re:Again?

[fafaforza]

If you don't want private stuff to be exposed then don't post it. It's that simple. When you upload/post stuff, you have no control over it. But you can still use Facebook to stay in touch.

Re:Again?

[bronney]

Oh you missed the fun part brother. It's not whether you post it, it's I post you on it. You can't stop it, you can't delete it.

Re:Again?

[beowulfcluster]

People who don't use Facebook are so superior. Whenever someone says that it reminds me a bit about this: http://www.theonion.com/articles/area-man-constantly-mentioning-he-doesnt-own-a-tel,429/ [theonion.com]

By the way I of course don't use Facebook.

Of course

[Sarten-X]

If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

Re:Of course

[peragrin]

Always assume anything on facebook is visible to everyone always. You no longer have any control, it is never deleted, never removed.

It is why i have never used facebook ever. It isnt worth it. While i do know some has posted pictures of me, those pictures cant truely be linked to me.

Re:Of course

[qubezz]

... While i do know some has posted pictures of me, those pictures cant truely be linked to me.

That is, until the other user imports their contact lists with your email addresses and phone numbers into Facebook, and starts tagging pictures of you, and they correlate others's address books with you in them. Then Facebook has a good idea who you are and who your "friends" are without you ever logging in.

Re:Of course

[geekmux]

If you upload something to Facebook, assume anyone can see it...

Ah, you misspelled Internet.

Re:Of course

[Abstrackt]

If you upload something to Facebook, assume Internet can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

Re:

[Kral_Blbec]

If you upload something to Internet, assume anyone can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

I think that was the correction he was talking about.

Re:Of course

[PNutts]

If you upload pr0n to Internet, make sure I can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

I think that was the correction he was talking about.

Sorry, it still wasn't right.

Re:

[jellomizer]

In other words.
Rules for civilized public discourse still apply.

Granted Face Book really needs to fix it privacy and security to be much better. But Facebook is a Social Media site. Meaning information posted is meant to be posted socially.

Re:

[jellomizer]

If the business is perceived too risky, customers leave and they cannot sell products and make money.

Re:Of course

[snowgirl]

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?

Click here [youtube.com] to visit my private webpage, for my special webpage (Registration, and credit card required)

Re:Of course

[Anonymous Coward]

(hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

Re:Of course

[Anonymous Coward]

The easy fix, in this case, is to use more tongue. ;p

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Pope]

User name/post combo of the day!

Re:Of course

[Anonymous Coward]

You can tell he's a coder because he substituted the placement instead of thinking about it as being "inside" a layer which must be closed regardless of the last character. Other people see the aesthetics of one vs two )'s and one for many *looks* better. As a coder we know we didn't properly close our parens.

Programmers through process.

Ok I'm inside a parens.
        content.
        more content.
        smiley
Ok, I have to close this parens.

==
Normal person's thought process.
==

Ok I'm whispering, so I need to start with a (
content.
more content.
Now I'm done. (looks at the sentence, and thinks a single closing paren looks better, does not add another one)

Re:

[jones_supa]

(hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

Another semantic nugget I wanted to add, is when you use slash to separate two things ("cat/dog"). If an item consists of multiple words, you should cover it in curly brackets so that you know what words the option covers ("cat/{big dog}").

So technically the sentences "Today I'm going to fix the garage/kitchen door" and "Today I'm going to fix the garage/{kitchen door}" are two different things. In the first one you're either fixing the door of garage or kitchen. In the second one you're either fixing the w

Re:

[Anonymous Coward]

hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;)

I just discovered that I assume that everyone on Slashdot is male, and that guys who wear panties for their boyfriend Brian kind of skeeve me out.

Learn something new every day...

Re:

[Sarten-X]

Well, of course, if you "perform" professionally at bachelor parties, then perhaps your Facebook page is a marketing tool for your entertainment business. In that case, it should present an image suitable to your profession. If that means insulting your boss to help potential customers identify with you, then so be it.

Re:

[migla]

You're very talented! I haven't seen such classic moves in a while. Cool voice, too.

Re:

[interval1066]

Can I get your number?

Re:

[Baloroth]

I can probably guess it: 772-257-4501

Re:

[PRMan]

Just get it from her Facebook profile...

I mean, c'mon, it's not like it's hard...

Re:

[bronney]

It's hard.

Some of my best friends are strippers

[MichaelCrawford]

One of them had the idea that she could shock me by giving me her business card that bore a professionally photographed wide-open beaver shot.

If you're anywhere near Santa Cruz, California, Seraphina Landgrebe does excellent erotic photography. I rang her up once in hopes that she could do a nice portrait for use as a Valentine's Day gift, but I did not yet have the kind of relationship with that young lady that would have made Seraphina's suggestion that I pose while clad in nothing but a leopard-print jo

Re:

[TheQuantumShift]

"Son of a bitch," he cried. And so ends the saga of: "The Last Person On The Face Of The Earth To Be "Rick-Rolled"...

Re:

[twdorris]

I'll second that. Assuming she's a she.

Re:

[Archangel Michael]

If you upload something to Facebook, assume anyone WILL see it.

FTFY

Assume the worst. If you want something private, don't tell ANYONE.

Re:

[Thing 1]

"Two men can keep a secret, if one of them is dead."

Re:

[izomiac]

If you upload something to Facebook, assume anyone can see it.

Personally, I assume that Mark Zuckerberg can see it, if he so chooses, and I trust him less than my least trustworthy friend.

Re:Of course

[betterunixthanunix]

If you upload something to Facebook, assume anyone can see it

I used to think this, but there are some pretty convincing arguments in The Net Delusion that have caused me to rethink that position. There are a lot of Facebook users, and dissident groups cannot avoid using Facebook to reach people, simply because of the large number of people on Facebook. If Facebook does not take privacy seriously, the risk to dissidents who try to contact their fellow citizens on Facebook will grow.

The point here is that yes, it is a problem when Facebook unexpectedly opens its users' data to the world against their wishes. There are legitimate reasons why someone might use Facebook but want to keep their account data private.

Re:Of course

[Anonymous Coward]

Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.

You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.

Re:

[Jim Hall]

If you upload something to Facebook, assume anyone can see it.

In general, this is true of anything you post on the Internet. I look at it this way: try to avoid posting things on Facebook, Twitter, Google+, Slashdot, Flickr, or any other site, that you might be embarrassed for a family member to see, or a future potential employer. If it's on the Internet, assume anyone can see it.

My immediate personal response to this Facebook flaw: ohmigosh! Then I remembered that my photos are pretty much my cats, work we've done on the house, flowers, speakers at events, and simil

Re:Of course

[forkfail]

You do understand that these forums are often frequented by folks who have forgotten more about computer security that most folks will learn during the course of their entire lives?

Interesting

[koan]

I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?

It's all related somehow...

Surprised this is real.

[Ecuador]

I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

Re:Surprised this is real.

[interval1066]

This flaw has been exploited for months by the likes of 4chan.org/b/, and others. I'm surprised it took this long to get out.

Re:

[jd]

It didn't. It took that long for the "popular bodybuilding forum" to archive those pictures guaranteed to improve its popularity.

Re:

[Solandri]

I was wondering about that. Whether the summary was correct in that Facebook worked quickly to fix it because the exploit spread across the Internet, or if it was because someone posted Zuckerberg's private pictures.

Re:

[interval1066]

I shouldn't ask this; I'm a little curious to know what the nature of Zuckerberg's private pictures might have been.

Definitely real

[Anonymous Coward]

I decided it was real when I saw someone post Zuck's photos [imgur.com].

Re:

[Bill Dimm]

If ever I thought there was a link that would go to goatse, that was it. But, no, the photos are of Zuckerberg fully clothed. Not mounting a goat or anything along those lines.

Private pictures?

[gmuslera]

Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?

Re:Private pictures?

[blair1q]

Then I'm guilty of not wanting people to be jealous of my naked body.

Re:Private pictures?

[hellkyng]

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Eric Schmidt

Not quite... but close.

Re:

[hellkyng]

BTW if you want to google that you might be surprised at how hard that is to find, try this "google ceo privacy quote"

Re:

[forkfail]

There are two kinds of people in the world.

Those who dark secrets tend to be they type that might be revealed over the internet, and those whose aren't.

Re:Private pictures?

[Sir_Eptishous]

The Canadian privacy expert David Flaherty expresses a similar idea when he argues: "There is no sentient human being in the Western world who has little or no regard for his or her personal privacy; those who would attempt such claims cannot withstand even a few minutes' questioning about intimate aspects of their lives without capitulating to the intrusiveness of certain subject matters."

I confess: I have an Internet stalker

[MichaelCrawford]

Some guy over at Kuro5hin who I know only as modus [kuro5hin.org] got the idea that I am some manner of dangerous criminal psychopath because I was so inconsiderate of his easily-wounded feeling to point out that, after two decades of working as a coder, I was weary of the work and wanted to change careers by going back to school to learn how to compose symphonies.

If you look at his comment and diary history at his user info page I linked above, you'll find that the vast majority of them are focussed entirely on me, quite

thank you mark.

[Anonymous Coward]

A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg

No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.

A bug? In software? OH MY!

[bennomatic]

Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

Re:

[Baloroth]

don't share stuff on Facebook.

No real comment, I just thought this deserves repeating.

Re:

[jd]

Regulating social network software might actually be a good idea. Not as in restricting content, but as in requiring certain standards to be met. Like it or not, we live in a connected world where information is shared, collated and mined. Errors in that data are next to impossible to correct because they spread faster than you can correct them. In the absence of data privacy laws, it is essential that the calibre of software be such that inappropriate access is kept to an absolute minimum.

Having said that,

Re:

[lgw]

From what I hear from friends who have recently interviewed at Facebook, right now there are apparantly banners hung on the walls in the Facebook offices that say "Don't test, just ship." Every developer has the power to push code to production.

There's considerable space for improvement in quality here before getting to some sort of certification program; for example "a social network should have some QA, more than none" seems like it would be an improvement.

Re:

[biodata]

In Europe we have a thing called data protection. Organisations who monger personal information have a legal obligation to protect it. Facebook are not exempt. Social networks are already regulated in the advanced world.

Re:

[bennomatic]

Why u h8 America?

Re:

[biodata]

I don't hate America, I've had some lovely holidays there (except for that one time in New York when they blew up the WTC) and some of my best friends are Americans. I do hate America's lack of data protection legislation, dangerous gun laws, propensity to vote oil industry shills into power, desire to market dangerous food to the rest of the world, and one or two other things, but nowhere's perfect. Not a reason not to call out the bad parts when you see em though.

Re:

[Jorl17]

Seconded. We might suck at many things, but we are starting to drive technology forward instead of being driven by it.

Re:

[hey!]

Sure, but it helps to have a system that is designed from the ground up with privacy in mind, rather than having it bolted on when people scream bloody murder.

Re:

[bennomatic]

Yes, but I don't think there's a single active social network which was designed from the ground up with privacy in mind. Hell, even the most carefully designed network is only as well controlled as its participants. The moment I share something with you, you can share that with the world. Even if copying and pasting isn't possible, you could take a screen shot of any comments I make and post them anywhere.

I was thinking of designing a p2p social network as a thought exercise. Such a network would re

Re:

[hey!]

You have to assume that things will slip through of course.

This particular bug could easily have been prevented by making all object requests pass through a layer that implements some form of mandatory access control. But given this story it's obvious there's no such layer in Facebook, and it's up to the developers to bake uniform security policies into every feature they implement. This is a problem that following the DRY principle would have prevented.

But this kind of thing happen all the time in software

Did You Really Authorize All Those FB Apps?

[MichaelCrawford]

The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

Here's what you do:

Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

Click on "Edit Settings" to the right of "Apps You Use".

I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

Re:

[Kymermosst]

You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data

Anyone who is unaware of that fact clearly does not understand Facebook's business model.

Want To Provide A Valuable Public Service?

[MichaelCrawford]

Point out that fact to all of your Facebook friends.

After I deleted all that Apps from my FB profile, I pointed out what I'd done on my FB wall.

One of my FB Friends immediately replied to thank me for doing so, and told me that it was only because of my advice that she knew to do the same thing for her own profile.

Re:

[Sir_Eptishous]

Yea but that means your not online... Wait?!? What?!?

Here's Why I Really Do Need To Use Facebook

[MichaelCrawford]

The vast majority of old friends that I want to find again don't have the first clue how to use Google.

While I'm pretty good at "Feeling Lucky" myself, the kind of people who don't know how to use Google also tend not to appear anywhere on the Web under their own real names.

One of my very best friends during my Freshman year of high school was a fellow Roman Soldier in Armijo High School's production of Jesus Christ Superstar. I'm handy with tools, so with the help of Ted and the other tool-handy Roman Sol

What kind of photos?

[cvtan]

Now if there were porn photos of Mark Z. Ewwww!

Surprisingly weak architecture

[matthaak]

I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.

Re:

[Thing 1]

This sounds a lot like cooperative multitasking, and the consequent hanging problems OSes that chose that route had.

Re:

[jones_supa]

Exactly. There seems to be some major design flaws in Facebook.

The pictures

[slasho81]

The pictures. [imgur.com]

Re:

[Sez Zero]

He's not wearing a seatbelt; quick, someone raise his insurance rates!

Regardless of THIS flaw

[dmomo]

Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

Re:Regardless of THIS flaw

[Anonymous Coward]

In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

So creeps, grab those URLs from your cache while you can.

Re:Regardless of THIS flaw

[dmomo]

Yeah. And if for some reason, you share it to someone.. and they post it anywhere, and google pics up the url, forget it:
https://www.google.com/search?q=a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7&oe=utf-8um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi [google.com]

You can also run a search for partial image names through the google image search api [google.com] using facebook known static content servers.

Re:

[grantek]

In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well.

Well, that's to be expected when using a static cache - it's the only way DNS can manage, for example (DNS changes take a while to "propagate" through the Internet).

If the deleted content is still there a week or more later, then you've got problems.

Re:Regardless of THIS flaw

[blackraven14250]

This has nothing to do with DNS. When an image is "removed" from Facebook, the image is left on the server. The URL is something like this: http://a3.sphotos.ak.fbcdn.net/ [fbcdn.net] . Using the rest of the url, you can always access the image because they're not changing around which servers are assigned which names.

Re:Regardless of THIS flaw

[ShaunC]

If the deleted content is still there a week or more later, then you've got problems.

We're talking about Facebook here. The content is never deleted, and that's by design.

Re:you can't trust 3rd parties with private info

[fuzzyfuzzyfungus]

Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.

Both are true; but not terribly useful for most users.

Re:

[berashith]

no no no ... these are great fun.

Re:

[masternerdguy]

i'm not sure you isn't a test of a moron.

i'm not sure if you isn't a test of a moron either mate.

Re:

[Dunbal]

Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.

Re:

[Dunbal]

Thank you sir for making my point for me. Known on the X axis, variable on the Y, etc.

Re:

[forkfail]

Fox News calling someone a "miscreant" is like Idi Amin calling someone "a big meanie".

Re:

[Caerdwyn]

All the QA in the world won't help if the findings of the QA engineers do not result in defects being acknowledged or fixed. QA in those cases is not a testing group; it's a rubber stamp for which the question "do we ship it" is required to be "yes". This arises either because QA reports to a development manager (i.e. someone whose performance review is based what is released how close to schedule under budget, therefore someone who simultaneously has the motivation and the power to ignore QA findings), or

Re:

[jones_supa]

Everyone uses computers these days and may find interesting things. After all, the crack was something for which you wouldn't need special hacker skills. But yeah, it's interesting.