Recently a particular nasty feature of the new Facebook advertising model allowed certain advertising partners to post your purchases to your news feed showing everyone what you had recently bought. The nastiness of this feature â€“ and it is a feature since it was deliberate by Facebook â€“ was the automatic opt in of the sharing. When you made your purchase with particular advertising partners, you had a 10 second window in which to opt out of sharing your purchase. The potential privacy risk is apparent when you take into consideration a statement the NY Times made about regarding this problem. â€œWhat if you just purchased a book titled Coping with AIDSâ€. I highly doubt anyone is in a rush to share this information.
Since then a new security risk has been discovered that exposes all you photographs to potential viewer though simple website address manipulation. Thanks to the work of Computer Engineering Graduate student Dave Churchill this simple exploit can allow anyone to view the full album of someone who is not on his or her friends list.
The conditions for doing this are quite simple. First, you need the address of a photograph in an album that belongs to someone who is not in your friends list. The easiest way to obtain this address is by viewing a photograph that has been tagged by someone you know. Make sure that photograph belongs in an album of someone you do not know and in an album you cannot view through standard navigation. This is necessary as it provides all the information necessary to make the hack easy and demonstrates that it indeed works.
At this point, the simple removal of a parameter in the address bar will expose all the photographs in that album. In this case the “&subj=123456789â€ portion of the address. If you remove that piece of data and hit enter and you now can view all the photographs in that album.
If this was an album of someone you did not know and as such would not be able to view otherwise, you have just bypassed Facebookâ€™s lacking security with the preverbal Mac truck. I have tested this and found I was easily able to view full albums I otherwise would not have access to view.
This simple oversight in the development of the Facebook code is alarming. If this very trivial hack can be applied to albums what other hacks can be applied to expose further data. Since Facebook relies on cookies to track if you are logged in or not, this URL and many others are essentially open to the pubic.
How much longer will Facebookâ€™s lack of security and questionable content policy be accepted? From the blanket user agreement that anything users post on Facebook is free for Facebook to reuse and even sell to others, to their substandard security. Facebook is facing mounting pressure to answer questions to how they use users information and how they protect that.
It is starting to look increasingly like Facebook is a wolf in sheepâ€™s clothing.
See Daveâ€™s original document here