

Facebook leaks user's IP addresses - rdj
http://www.binint.com/2010/05/facebook-leaks-ip-addresses.html

======
yaroslavvb
Someone commented on that page that leaking user's IP address is a common
spam-prevention practice. I just checked gmail and Yahoo Mail, and they both
include my IP address in the header of outgoing messages

For instance, Yahoo Mail puts my IP address in a line like this

Received: from [xxx.xxx.xxx.xxx]

~~~
danieldon
How did you send it using gmail? I just sent two via the web interface, one to
a gmail account and another to a non-gmail account, the originating ip is
209.85.221.175 (a google ip address) and my current IP doesn't show up
anywhere in the headers.

Edit: it doesn't show up base64 encoded, either.

~~~
mct
gmail reveals the sender's IP address only when sending mail via
(authenticated) SMTP. The IP address is hidden when sending mail via the web
interface.

------
hachiya
Yep. Confirmed. Command line example:

Take the Base64 string from this line in the headers:

X-Facebook: from zuckmail ([OTguMTgzLjI0Ny4yMTg=])

    
    
      $ ruby -rbase64 -e "puts Base64::decode64('NzQuMTI1Ljk1LjEwNA==')"
      74.125.95.104

~~~
bobbyi
That confirms that it's a IP address, not that it's his.

~~~
spc476
I did the same for two Facebook notifications, from different friends, and
both tagged their city (Tuscaloosa, AL didn't surprise me, but Blountstown,
FL? That's fairly targetted).

------
MikeCapone
Does anyone know of a site that tracks all of these privacy problems (and
potential problems) with Facebook? Following up and keeping track is the best
way to keep FB accountable, and I'm sure a lot of media people would use such
a site.

~~~
there
there might be a facebook group for it...

------
rdj
Not speculation. I just tried this with a few folks, and it works as
advertised.

------
patio11
I'm just... not concerned? Anything you do online leaks your IP address. If a
friend embeds a photo from Flickr into their feed, and you load it, consider
your IP leaked. etc, etc, etc

~~~
alanh
Leaked to Flickr, not to a Flickr user, unless I am missing something.

------
hugh3
_but not when a wife is trying to hide from an abusive husband and assumes
Facebook is the best form of communication_

Is this the best scenario they could come up with where this is a problem?

~~~
mcantelon
This might have been a reference to a similar scenario regarding a Google
privacy leak:

<http://bit.ly/bCrVll>

------
rdj
They changed it. The new header is:

X-Facebook: from zuckmail ([MTI3LjAuMC4x])

(127.0.0.1)

So I guess, nothing else to see here. Move along.

------
robryan
I'd be surprised if someone really wanted my IP they couldn't get it just by
getting me to visit something off facebook.

------
jarin
Your computer may be broadcasting an IP address!!

------
devinj
Why does this matter? I get others IPs and send my IP all the time (e.g. IRC).
If I was worried about my IP, I would use something like tor when doing
everything. But worrying about IPs seems... silly An IP is just so
uninformative, unless somebody subpoenas my ISP or something.

~~~
rm-rf
"unless somebody subpoenas my ISP or something"

And in addition to your secure wireless SSID, you have an open SSID at your
house that you maintain just for that reason, right?

Mine's named Free_Porn.

------
stcredzero
"Leaks IP address" as a dramatic headline is an indicator that the poster is
not-so savvy about networks and security. Seriously, this is the level of
knowledge I observed in the typical high school student 3 years ago or so.

------
davidmurphy
I just did this on an email about a comment on my wall post by someone at a
nonprofit. Sure enough, it came up with not just an IP, but a subdomain
listing that nonprofit's domain name.

Yes, it works.

------
dmn001
Perl 1-liner: <http://bit.ly/cNHkzQ> Every other day I see facebook and
privacy in the same sentence..

~~~
natrius
_"Every other day I see facebook and privacy in the same sentence.."_

That's because Facebook-bashing has become fashionable. There is absolutely
nothing wrong with the behavior described in the article. It's how email is
supposed to work. There is no way to accidentally include the IP address in an
email header. They (presumably) do it on purpose.

------
harshpotatoes
Note: I havent experimented with this yet.

Are we sure this is the ip address of the user and not just the ip address of
one of facebook's servers?

If it is a user's address... is that a problem? This seems like very easy to
obtain online information... for example, by sending an email to the person im
trying to talk with via facebook...

~~~
rdj
It's the user (I tested with 2 friends to verify). Here's a scenario we talked
about in my house: Once potential problem: friends-of-friends. A friend-of-
friend comments on something your mutual friend put out, you then comment, the
first friend (whom you don't know) can use this trick to ballpark your
location.

~~~
harshpotatoes
Right. But you're all talking to each other. It seems to me this same info
would still be available to everyone if you were emailing each other. I don't
really see this one as a huge security risk...

------
chronomex
This is not new _at all_.

Here's a segment of an email header from 2006:

    
    
      X-Facebook: from zuckmail ([128.208.54.23])
              by washington.facebook.com with HTTP (ZuckMail);
      Date: Sun, 10 Dec 2006 12:31:27 -0800

------
oomkiller
And so does every popular webmail provider. I remember learning about this
when I was 12.

------
petercooper
It must suck for the one user who has had all their IP address's leaked.

------
jseifer
Your computer is broadcast an IP address!

------
wildmXranat
Can someone write a GUI in Visual Basic to track these IPs please?

~~~
jasonlbaptiste
will do after i finish my logowriter script

LEFT 90 UP 90

move turtle move!

~~~
jacquesm
It's turtles all the way left and up then ? I thought they only went down ;)

------
u48998
Seems Facebook users are born in 2009 or after wards. Every email service
sends your IP address with the email. The exception is Google.

~~~
sounddust
1) Someone tagged me in a photo and it leaked their IP address.

2) Someone who is not even my friend commented on someone's status, and I got
a notification because I made a comment before her. It leaked her IP address
to me.

These situations are not comparable to e-mail, and I seriously doubt these
people reasonably expected their IP address to be sent to me based on these
actions.

