Recently a particular nasty feature of the new Facebook advertising model allowed certain advertising partners to post your purchases to your news feed showing everyone what you had recently bought. The nastiness of this feature – and it is a feature since it was deliberate by Facebook – was the automatic opt in of the sharing. When you made your purchase with particular advertising partners, you had a 10 second window in which to opt out of sharing your purchase. The potential privacy risk is apparent when you take into consideration a statement the NY Times made about regarding this problem. “What if you just purchased a book titled Coping with AIDSâ€. I highly doubt anyone is in a rush to share this information.
Since then a new security risk has been discovered that exposes all you photographs to potential viewer though simple website address manipulation. Thanks to the work of Computer Engineering Graduate student Dave Churchill this simple exploit can allow anyone to view the full album of someone who is not on his or her friends list.
The conditions for doing this are quite simple. First, you need the address of a photograph in an album that belongs to someone who is not in your friends list. The easiest way to obtain this address is by viewing a photograph that has been tagged by someone you know. Make sure that photograph belongs in an album of someone you do not know and in an album you cannot view through standard navigation. This is necessary as it provides all the information necessary to make the hack easy and demonstrates that it indeed works.
At this point, the simple removal of a parameter in the address bar will expose all the photographs in that album. In this case the “&subj=123456789†portion of the address. If you remove that piece of data and hit enter and you now can view all the photographs in that album.
If this was an album of someone you did not know and as such would not be able to view otherwise, you have just bypassed Facebook’s lacking security with the preverbal Mac truck. I have tested this and found I was easily able to view full albums I otherwise would not have access to view.
This simple oversight in the development of the Facebook code is alarming. If this very trivial hack can be applied to albums what other hacks can be applied to expose further data. Since Facebook relies on cookies to track if you are logged in or not, this URL and many others are essentially open to the pubic.
How much longer will Facebook’s lack of security and questionable content policy be accepted? From the blanket user agreement that anything users post on Facebook is free for Facebook to reuse and even sell to others, to their substandard security. Facebook is facing mounting pressure to answer questions to how they use users information and how they protect that.
It is starting to look increasingly like Facebook is a wolf in sheep’s clothing.
See Dave’s original document here
I think that I read somewhere in the Facebook “Terms” that you can disable the cookies which ALWAYS track you. But you still need cookies to log into facebook.
This is what I was talking about:
“By default, we use a persistent cookie that stores your login ID (but not your password) to make it easier for you to login when you come back to Facebook. You can remove or block this cookie using the settings in your browser if you want to disable this convenience feature. ”
I guess it isn’t the same cookie that is always spying on you.
actually, until the picture holes were closed about a week ago, anybody with a facebook account could see the pictures tagged of any other facebook user. it was NOT just limited to albums
if i typed in: http://hs.facebook.com/photo.php?pid=2&op=1&view=all&subj=XXX&id=727650318
with XXXX being the target user id, i could see all picture of that person tagged by others.
a similar url allows the same to be done with pictures tagged by that person them self.
the hole was huge, and it just sat there for several years. i simply cannot understand why facebook did not find this sooner.
i was in 8th grade when i found this hole myself, and i’m not even particularly bright.
what is going on, facebook?