

How to harvest Facebook profiles from emails without logging in - pskomoroch
http://petewarden.typepad.com/searchbrowser/2010/02/how-to-harvest-facebook-profiles-from-emails-without-logging-in.html

======
_delirium
Facebook's approach to images seems broken security-wise all around. You can
also get to non-public images if you know the URL of the jpg--- linking to the
image page won't work, but a direct link to the JPG will happily serve itself
up.

~~~
jcapote
This is notoriously hard problem to solve if you still want a traditional web
server serving out static assets (which is the fastest way to do so). The only
way I've seen to serve static content in an authenticated fashion is to serve
it out of the application itself using the appropriate headers. I'm curious
how others have solved this though...

~~~
_delirium
It's not foolproof, but I think one common way is for the static-content
server to check for an appropriate authentication cookie. In Facebook's case,
an additional complication is that they serve lots of the static content off
Akamai, so any authentication would have to be coordinated.

~~~
maurycy
The cookie slows down the things a bit. I've never had such problem but what
about complete randomization of static URLs, so they are not easily findable?

If the leaks are the issue, one might want to change the names, or just
filesystem symlinks, periodically.

~~~
catch23
couldn't they just solve it by serving up an image with a hash of the facebook
uid as the filename?

~~~
maurycy
Facebook uid = users.id? It gives zero privacy then.

------
tarkin2
I've said it before, but I'd advise people change the email addresses they've
attached to facebook. And definitely don't use the email address you give out
to employers.

~~~
jonknee
Or just adjust your privacy settings so that only your friends can see
anything. I don't show up in search results for example.

------
maxklein
That's a pretty clever trick. I heard from some people that after doing the
bulk upload thing, if your account in any way promotes a business, it gets
shutdown after about a week. Anyone who uploads large contact lists to
facebook gets into some type of human review system.

------
sambeau
Please don't. :(

