
Facebook security hole allows viewing of private photos - zone411
http://forum.bodybuilding.com/showthread.php?t=140261733
======
mkjones
This was indeed a bug, and shouldn't work any more. We turned off the system
that lets you report content through this flow (and thus made this bug's code
inaccessible) as soon as we became aware of the issue.

In the future, if you find a security / privacy bug on Facebook, feel free to
report it via our whitehat program, which will get things looked at more
quickly than random blog posts. You can get credit for the find and even make
money with bug-bounty payouts: <http://www.facebook.com/whitehat/>.

For what it's worth, a few people were alluding to this meaning that we don't
check privacy by default. In fact we do have a pretty robust default-deny
system for running privacy checks. This was an edge case where it was forced
to work in a way that was incorrect.

(I work at Facebook, but not on this system.)

~~~
zone411
Knowing about your special page for reporting privacy holes would not change
my decision to post it here. I think more good will come when media picks it
up and some Facebook users realize that a company with your record of terrible
privacy decisions and incompetence should not be used for posting anything
private or even at all. If you were a startup stretched for resources or if
this hole could've been exploited to install malware, I'd of course attempt to
contact you first. $500 for reporting security holes for a company of your
size is also insulting, BTW.

~~~
mkjones
Ah, just realized you're the OP. I don't think there's anything particularly
irresponsible about posting an already-public disclosure to HN or other
aggregators. It's the first person posting it publicly without first privately
disclosing that I find irresponsible.

~~~
AndyJPartridge
May I ask for your opinion on the $500 bounty issue that was mentioned?

~~~
mkjones
from <http://news.ycombinator.com/item?id=3321366>:

> I think having a bug bounty program is actually a lot better than the vast
> majority of sites / vendors that don't even have a whitehat [aka
> responsible] disclosure program, let alone a bug bounty program. It's worth
> noting that this is just the base bounty - I've seen us pay out a lot more
> for good discoveries. $500 is also the base that Google and Mozilla offer
> for their programs
> (<http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w...>,
> <http://www.mozilla.org/security/bug-bounty.html>). What would be a good
> price, do you think? I'm not hooked in enough to know what black market
> prices are like for bugs like this.

------
kristopolous
General form appears to be as follows:

    
    
        http://www.facebook.com/ajax/report/social.php?
         __a=1&
         __d=1&
         attach_additional_photos=1&
         cid=((FBID))&
         content_type=0&
         h=((HASH BASED ON YOUR ACCOUNT))&
         phase=6&
         report_id=1&
         rid=((FBID))
    

After you get that initial hash then you can swap out the CID and the RID and
get everyone else (I tried it for 3)... it's pretty easy.

This issue is probably going to make mainstream news by noon.

~~~
noname123
I tried to follow this url format by using Chrome Developer toolbar after
clicking on "report this photo" of a non-private photo to extract my account
hash id, rid and cid of the interested person. It's a GET according to
Developer tool.

I get this however,

for (;;);{"__ar":1,"error":1357006,"errorSummary":"Don't have
Permission","errorDescription":"You don't have sufficient permissions to do
that.","payload":null}

Anyone know if it's already patched?

~~~
axiomotion
Get the same error, guess it is already fixed.

------
robertjordan
Excellent find. You can even access around 25 photos from Mark Zuckerberg's
profile.

<http://imgur.com/a/PrLrB> (ps: what a nice photo of them on halloween. very
generous too I can see!)

~~~
llambda
Interesting that those are full-sized. It appeared in the forum post to only
be giving access to thumbnail resizes of the original images.

~~~
slig
Apparently, you can change a char in the thumb URL to get the full size image
URL.

~~~
llambda
That seems to be true only of certain URLs. For instance, if it's all one
long, encoded string follow by _a or _s then changing a or s to n produces the
full-size image. However some thumbnails aren't formatted in this way and as
far as I know can't be (easily) resized to full. Someone please correct me if
I'm wrong.

Edit: it appears this same char is available in both URI formats I was
referring to, so yes, full-size images are exposed.

------
ianhawes
This is a security hole and nothing more. Developers make mistakes. This is
not some vast conspiracy by Facebook to undermine your privacy. Why, of all
places, is HackerNews unable to comprehend this?

~~~
brlewis
If you see a comment that makes it sound like there's a vast conspiracy,
please post in reply to that comment. I don't see any such comment. HN appears
to be comprehending just fine.

~~~
cbabraham
<http://news.ycombinator.com/item?id=3319018>

This comment seems to argue that this was intentional.

------
tzury
someone [1] pulled this trick on Zuck's account [2]

1\. <http://twitter.com/#!/flyosity/status/144065873743839233>

2\. <http://imgur.com/a/PrLrB>

~~~
flyosity
This is a little too meta... I tweeted that (that's me!) but the link to
Zuck's photos was found further down in the comments here on HN. That's where
I saw it.

~~~
karlzt
<https://news.ycombinator.com/item?id=3318903>

------
hannibalhorn
Funny how something like this is originally posted on a body building forum. I
think the first reports of the recent Penn State scandal were posted there too
(around a year ago.) Who would have thought that's where you'd first find such
things?

~~~
pud
Bodybuilding.com started as a forum about bodybuilding, but over the years
morphed into a large general message board with all sorts of members.

Behold, "misc," the /b/ of bodybuilding.com:
<http://forum.bodybuilding.com/forumdisplay.php?f=19>

------
CWuestefeld
If that doesn't prove that FB's developers aren't thinking about security, I
don't know what would. Nobody who is in a culture of protecting security would
even consider building this.

~~~
tectonic
Or privacy. The assumption here is that if someone thinks you have an
inappropriate photo, you now have no right to privacy?

~~~
judofyr
I doubt that's way this happened. More likely, the person who implemented the
"inappropriate photo"-feature wasn't fully aware of that the
"Report"-functionally was enabled for everyone and not just your friends.

However, someone had to implement the backend for listing out those photos,
and they clearly didn't think of access control, so there's at least
_something_ fishy here…

~~~
rplnt
It's not the first time either. Very similar breach of privacy happened when
they implemented "view my profile as ..." functionality. You gained access to
the private data of the user you were simulating.

------
Archio
This isn't even a security hole, it's a complete security disaster. Did they
even think through the process for five minutes before they built that? I
mean, there aren't even any hacks involved.

Nice find.

~~~
tantalor
> there aren't even any hacks involved

I doubt law enforcement would see it that way. Downloading photos with this
method is not much different than guessing somebody's email or voicemail
password; you're accessing something you're not supposed to.

See 18 U.S.C. § 1030(a)(2)(C) and § 2701.

~~~
pepper92
This is probably closer to guessing someone's phone number than their
password.

~~~
nthj
I wouldn't bet jail time that a judge sees it that way.

------
einhverfr
Facebook is an excellent personal marketing tool. However, I think at this
point you'd have to be a fool to put material on it you want to be private. Of
course, what PT Barnum said....

~~~
baha_man
"Of course, what PT Barnum said..."

Or possibly didn't say:

[http://en.wikipedia.org/wiki/Theres_a_sucker_born_every_minu...](http://en.wikipedia.org/wiki/Theres_a_sucker_born_every_minute)

~~~
rodion_89
It looks like HN removed the apostrophe so here is a bit.ly version that
works.

<http://bit.ly/kyYCxk>

------
pasbesoin
Seriously, FB, do you have no QA whatsoever?

I wonder whether this is limited to photos in the profile album, or whatever
it is called, these days.

EDIT: I'll add this suggestion that I've made before, since you're going to
have a LOT of people wanting to delete photos, if this problem proves to be
significant. Delegate someone to spend a few hours writing a routine that will
replace a cached photo with an identically sized, all white (or black, blue,
whatever), no metadata generated image. So, you don't have to rebuild your
image caches in order to ensure that a photo is really gone (well, except for
the fact that it once existed, as demonstrated by the working URL and white
image).

I've read the excuse made in the past that aggressive, large, integrated image
caches made actual photo deletion "not an option". As long as you can
overwrite existing bits in place, this should solve that. (Although I don't
know about all the tagging you've now since overlaid onto the images.)

~~~
vaksel
isn't there another problem with facebook, where none of your photos are ever
deleted and can be accessed by the direct url at any time?

~~~
pasbesoin
I haven't kept up, but IIRC that used to be the case. And that's what I'm
addressing.

A few years ago, I believe, they explained that they generate these ginormous
image caches where, IIRC, individual images are not distinct files.

My point is, regardless, if you can find the image (and its extent), and if
the cache data are still write-able, then overlay a generated "blank" image
onto the cached image, in place. You still have some data leakage, in that the
working URL confirms that there was an image having that URL. But for most
cases, I believe this would suffice.

I guess they'd also have to track down and overwrite the various thumbnail
versions, but if their systems can already find these in the course of their
normal work, this shouldn't be a problem.

As for overlaid tag data and whatnot, I'm not sure what to suggest. At a first
pass, I'd suggest just deleting (or "offlining" or whatever, given that FB
apparently never really deletes anything) that data. But I don't know what
continuing dependencies that might break.)

EDIT: I should add that I don't know whether/how such image caches are
replicated. And perpetuating such an overwrite against multiple replications
might not be easy / something the existing design supports.

Nonetheless, I think it's something they _should_ support. At a minimum, when
a user really wants to delete an image, then overwrite its segment of whatever
image cache file with a "blank" equivalent.

Although... then you get into what may be legally required and/or prudent,
from FB's perspective, to retain.

I'll stick to the simplistic user perspective: When I say delete, I mean
_delete_.

~~~
peterhunt
Maybe that was true in the past, but today when you delete your data it is
gone. Trust me, I wrote it myself. The law enforcement guidelines that have
been circulating recently corroborate this.

~~~
pasbesoin
Thank you for the update/clarification.

I deleted a couple of pictures this morning (nothing 'nekkid' ;-) and will
have a look to confirm that they are indeed "gone" (inaccessible via direct
URL -- albeit the URL of a CDN).

Would you happen to have the identity or URL of a specific guideline that you
could point to?

EDIT: I just checked the URL of an image I deleted about an hour and a half
ago, and that image is still accessible. It is under akamaihd.net;
nonetheless, it is still accessible.

~~~
peterhunt
Things take a while to fall out of CDN cache, I forget what the TTL is these
days but it should be reasonable.

~~~
pasbesoin
Understandable. I'll check again, a bit later.

Thanks again for taking the time to reply.

~~~
pasbesoin
About 6:20 since deletion, and the images are still accessible at their
akamaihd.net addresses. I'll have a look again tomorrow.

~~~
peterhunt
We are probably talking days, not hours here. But your underlying photo
metadata is already gone.

------
DrinkWater
Seems to be already fixed. The last option described in this tutorial is not
there anylonger.

~~~
willvarfar
Reading the thread, it seems that it doesn't work for all accounts and there
is speculation it only works if you have us english locale.

~~~
funkeemonk
Created a throwaway account to test this against my own account, didn't work
even with US English set. There's more to it.

------
citricsquid
It would seem based on the screenshot ("Message x to ask them to remove the
photo...") that they must have specific permissions set to cause this to work
as I can't replicate on people that I can't message.

~~~
jerfelix
I disagree. You can message people that you aren't friends with. See the first
screen shot ("add her as a friend or send her a message").

I think the reason it only works on some profiles it that perhaps the profile
pictures are the only ones that it will show you. And some people only have
one profile photo. (This is an untested theory / guess.)

~~~
funkeemonk
Tested this theory against my account using another throwaway one. My real
account has several profile pictures and the exploit didn't work.

------
Zhenya
Boy, I wonder what the FTC will say about this...

------
kmfrk
This is how many days after the FTC settlement?

------
dpeck
The more often this happens, maybe the more normal people will understand that
anything put online should be considered to be public. The illusion of the
walled garden eventually comes down, either through a vulnerability, policy
change, or simply user error.

------
ricksta
I wonder how people discover this

------
djbender
still works.

------
blob4000
mirror to exploit instructions + pictures
<http://www.multiupload.com/RC184ELRZ9>

------
lobster45
This is why I never post private pictures on Facebook

------
mrgreenfur
Ugh, JW blue

------
simondlr
Moving fast and breaking things.

------
digitalsushi
Don't do it, kids. You'll find photos of that girl you pined for 2 years after
you never made your move and she's way more fun and in way better shape than
you ever guessed. It's rough to ruin the fantasy, but torture to augment it.

