
Facebook leaking Notes? - fogus
http://www.google.com/search?q=site%3Ahttp%3A%2F%2F69.63.186.30%2Fnotes.php
======
jacquesm
I think you may be right. I played around with that a bit and plenty of the
notes that I can read are from people whose profiles are locked down pretty
tight.

------
indigoviolet
Are we sure that these notes have privacy settings that are non-public?

~~~
skolor
Keep in mind how Google's database works: These notes can only be found if
there is a link to them on a page already in their database. That means one of
two things: Their profile is set so that Google can read it, and it scraped
the link from there, or someone posted a link outside of Facebook to the note.

Its a lot like all of the private FTP sites you find in the Google database
(Do a search that resembles * : +intitle:index.of +"last modified" +"Port
80"). While some of them may have been meant to public at one point, all it
takes is one link pointing in for Google to find it and open it to the world.

*A note about that search: it returns some place in the realm of ~12 million results. A massive number of those are intentionally open, for thins like open source projects. You'll have to append something ridiculous like -inurl:(com|org|net|edu|gov|uk|fr|gr|www|jp|ftp|eu|biz|info|ww|ca|ac|ru|se|us|ch|ua|pl|ch|am|co) to even start seeing links to IPs, which I would guess have around a 99% probability of being someone's home computer that they put Apache on to make life easier, and then put a link some place so they could remember it.

------
pfenwick
From a sample of 3-4 tests, these appear to be public notes, or notes from
pages. If you want to see who the notes belong to, then take the URL from the
google search that looks like this:

69.63.186.30/notes.php?id=108682512183

and use the id at the end of URL to form a profile page:

www.facebook.com/profile.php?id=108682512183

If you're not a friend, and you can navigate to the entity's notes, then you
can be pretty sure they're public.

If they are public, then it's not surprising that google indexes them.

------
taitems
I thought being searchable would provide some hilarious or insightful notes.
But frankly, no matter what I search for, it's only mentioned in someones 25
things about me/my friends quiz.

------
diiq
One could plausibly scrape a significant portion of the adjacency of the
network from chained searches for '25 things' and similar notes.

~~~
skolor
The only problem is accessing all those results Google has stored away. The
attempts I have made to access their database have met in huge failures,
except when jumping through some rather massive hoops. They restrict you to
the first ~60 results if you do what they want and use the API, and ~250
results if you cheat and scrape the pages directly.

That's what makes Google a little disturbing to me. Their database is (in
theory) open, but to get any more than a very small segment at a time you have
to either craft ridiculous queries.

~~~
diiq
That's what makes this work, though --- you only need one result, one name and
the associated 'tagged' names. Then you search each of the tagged names.

60 resuls is plenty to get one good result per name --- heck, you don't even
need that _one_. Even just one good result per _ply_ will get reasonable
results.

------
jmathai
Apparently these include private notes as well. I don't use facebook so I
can't tell for sure.

[http://www.reddit.com/r/programming/comments/9jn8i/facebook_...](http://www.reddit.com/r/programming/comments/9jn8i/facebook_fail_a_misconfigured_webserver_has/)

------
brown9-2
If you have to be logged in to view a "private" note, how is the Google bot
able to access it?

~~~
zandorg
Maybe the Google toolbar (like Alexa)?

------
DarrenMills
Has anyone made their own notes private, and then tried searching like this? I
assume you'll have to wait a day or two...

~~~
unalone
My profile is still entirely unfindable.

------
spicyj
Terrifying.

~~~
unalone
I regret posting my social security number, home address, and the names of my
most cherished loved ones in notes. I may never recover.

------
kneath
You can set the privacy of notes:
[http://share.kyleneath.com/captures/Firefox-20090911-181428....](http://share.kyleneath.com/captures/Firefox-20090911-181428.jpg)

------
kwamenum86
<http://news.ycombinator.com/item?id=816562>

Just sayin'

------
robotron
My own private notes didn't show up.

------
Speet
I suppose those are only supposed to be readable to friends?

~~~
teeja
If you put it online, it will fall out _every time_

