This is a Facebook security "issue" that h

Brian Sullivan

This is a Facebook security "issue" that has been around forever https://fbcdn-sphotos-a.akamaihd.net/hphotos...

May 18, 2011

Micah, sofarsoShawn, and Morton Fox liked this

Is it even considered an issue? This is a picture of my daughter and son from her Facebook pictures that is publicly available but is connected to her profile and she probably thinks is available only to her friends. All Facebook pictures as far as I know are publicly available. - Brian Sullivan

I wonder if this is what is being talked about here: http://www.theage.com.au/technol... - Brian Sullivan

No hacking or special skills required -- just somebody to provide the url. Of course they could have just as well downloaded the picture and emailed it to you. - Brian Sullivan

The added twist here: "Over the seven days or so Heinrich ran a program on his computer to guess the URL of a photo. It needed two inputs in the demonstration given to Fairfax Media - the friend ID and X. The value X was what Heinrich got the computer to guess, getting it to guess daily from about 0 to 200,000. Read more: http://www.smh.com.au/technol... - Brian Sullivan

So what has proved is that there is no security on Facebook pictures or that security by obfuscation does not work or both? - Brian Sullivan

The bizarre thing here is that somehow there is a perceived criminal act here. - Brian Sullivan

This has been a known issue and dismissed by Facebook as not a problem for years: http://radio-weblogs.com/0127028... - post from my now mostly defunct blog in 2008. - Brian Sullivan

Has there ever NOT been a facebook security issue? It's beyond the point or ridiculous now and has grown to legend. Yet people, in droves still go along with signing up. (FB just bugs me #bitchfest) - sofarsoShawn

I am not sure given their current strategies that it can be fixed - don't CDN network files have to be public? Or is there some way to make them require a login for access? - Brian Sullivan

As the posting in my blog illustrates though -- these links are likely to rot/change over time. - Brian Sullivan

"security by obfuscation does not work" -- not matter how much they "improved" it would never really get any better. - Brian Sullivan

FF has a similar issue. Images posted in "private" feeds are publicly available without login - Brian Sullivan

Maybe the Australian police can now arrest me and seize my laptop? - Brian Sullivan

I wonder if pictures in private rooms on FF are available publicly just by knowing the url? edit: -- apparently yes. http://m.friendfeed-media.com/febde7c... - Brian Sullivan

In the ff case, like many sites today, the images are stored and served directly from Amazon S3, it doesn't go through the friendfeed app server's authentication system. To implement permissions on each S3 object (image) in conjunction with a friendfeed user would be nontrivial. - Micah

The same is true of Facebook (using a different provider) from what I can tell. - Brian Sullivan

Friends

Login

Service