
Deleted Facebook photos persist in CDN cache 16 months later - Terretta
http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars
======
tptacek
This is really more of a PR vulnerability than a real problem. The fbcdn URLs
are unguessable; it would require a comparable amount of effort to brute-force
a Facebook session token, which would yield all your current private photos.

The only thing that can happen as a result of the fbcdn cache is that a
malicious friend could publish the stale fbcdn URL. But that same malicious
friend could also publish the picture itself on any of a dozen photo sharing
sites, and that "attack" is far more damaging: Facebook can't trace it or shut
it off.

It is, I suppose, worth pointing out that this is a reason to be irritated at
any friend who republishes your photos by hotlinking to the Facebook CDN.

~~~
Terretta
I recall we discussed this a couple weeks ago.

The vulnerability is Facebook's social contract with non-technical users, user
trust based on mental models of how it should work. For users of privacy
settings, trust matters.

A user knows things they are sharing can be used by those they share with. But
when they delete something, in their mental model it's been deleted, and they
become (with fair reason) upset if they learn it's not.

If users delete a Facebook post or change its privacy setting, it's gone or
inaccessible. If they delete a photo, it's still there and still accessible.
That's unexpected behavior.

There's no good _non-technical_ reason text content and image content
shouldn't be equally carefully managed by Facebook.

~~~
tptacek
In one case, users can use the first-class well-documented features of their
browsers to violate Facebook users' mental model of how much control they have
over their photos.

In the other case, users can use less well-documented features of their
browsers to violate Facebook users' mental model of how much control they have
over their photos.

The fact that Facebook could address the latter problem but hasn't doesn't
upset me, because it's mooted by the former problem.

I acknowledge the PR problem they have blundered into by accepting this
otherwise insignificant risk, though: bored tech journalists can use it to gin
up sensational stories that further the narrative about Facebook's cavalier
attitude towards privacy. I'm not suggesting that it was a good call on
Facebook's part to do this.

~~~
Terretta
Fully deleting the photo at least reduces the user's attack surface.

~~~
tptacek
Imagine a web application with an SQL Injection flaw. There's a zillion things
the application can do to "reduce its attack surface" without fixing the flaw;
for instance, it can log you out and lock out your account if you ever cause a
SQL syntax error. Of course, virtually of these things are dumb.

Facebook could reduce its attack surface _meaningfully_ by eliminating the
static-file CDN. But this isn't a reasonable step to take; it generates
minimal (infinitessimal!) privacy advantages for users while drastically
complicating their service.

------
weixiyen
Don't post stuff you don't want other people to see - plain and simple.
Someone could just as easily have copied and re-uploaded it. Hope this topic
doesn't devolve into Facebook-bashing.

~~~
johns
I'll also make sure to avoid showing up in any pictures taken by a camera I
don't control. And stop everyone I know or don't know that may have taken a
picture of me and posted it from doing so. It's naive to think this is only
stuff posted by the people in the pictures.

~~~
al_james
If you don't want your photo taken, or the possibility of it showing online,
don't go outside!

------
TeHCrAzY
Is it possible that, because they continue to access it, the expiry on the
cache is being refreshed?

------
al_james
And it will still probably be on google image search, and then the wayback
machine. In short: You can't close the door after the horse has bolted: If any
digital content gets published there is very little you can do to take it
away.

That said, they must be wasting a huge amount of CDN storage on these old
photos!

~~~
Terretta
Neither GIS nor Archive.org will index or archive photos you haven't set
public. ("Friends Only" is not public.)

~~~
al_james
I think you will find thats the case unless someone hotlinks the image.
Facebook permissions work at the level of the page showing the image, not on
the image file itself.

~~~
Terretta
> _"Facebook permissions work at the level of the page showing the image, not
> on the image file itself."_

Exactly. HN discussed this a couple weeks ago:

<http://news.ycombinator.com/item?id=1740271>

I'd written:

 _Facebook operates web servers generating authenticated and authorized web
pages. These pages are dynamic, generated per user, based on current privacy
settings. These privacy-managed pages contain links to assets considered, by
users, to be just as private as the page._

 _When the user changes privacy settings for the page, the linked assets
privacy could easily be kept in line, as demonstrated by CloudFront CDN being
able to support private content links._

 _Facebook's fault is that the privacy managed page links to public (non-
privacy managed) assets, using links that do not respect the containing page's
privacy settings._

------
changcommaalex
What is worse is that the user id's of the poster of the photos is encoded
into the image urls which makes it extremely easy to identify the owner.

------
calloc
The image is showing up as nothing for me...

~~~
alexyim
I guess the way to make Facebook delete photos is to write popular articles
where you list the photos that you want deleted

------
pasbesoin
My understanding may be wrong, but I recall one explanation a year or two ago
that the manner in which the photos are aggregated for storage makes
deleting/removing a single photo relatively quite expensive in terms of
resource utilization.

If that's the case, my suggestion would be to effect an immediate deletion by
overwriting the image with a "blank" image dynamically constructed to be the
same size as the one it's replacing. Slap it over the old one and be done.
Perhaps also executing a full deletion/removal periodically and/or whenever
the encompassing aggregation is updated for another reason.

There would be some continued leakage potential for context, but at least the
image itself (and any embedded metadata, although I'm assuming FB strips that
upon upload) would be effectively gone.

------
natrius
In other news, photos persist on your hard drive after you delete them.

~~~
jonknee
Though not in a globally accessible form.

~~~
tptacek
In other news, if your "friends" repost your Facebook photos to other photo
sharing sites, those posts are not deleted after you delete your Facebook
photo.

Same issue.

~~~
jonknee
It's not really the same issue. This issue is you tell Facebook to delete
something and they don't. I don't really see it as a huge problem myself, but
I can see how someone who's not familiar with how CDNs work would be upset.

~~~
tptacek
It's definitely a real PR problem, even if it isn't a semantically authentic
security problem (a term I have just coined).

~~~
jonknee
I find it akin to how if you know a photo's URL you can view it regardless of
rights. That makes perfect sense if you know how web servers work and that
there is enough randomness in the URL that it really is secure, but to a lot
of people it _feels_ wrong. I know 90% of my friends would be shocked that I
could post a public link to their beach photos.

------
Rabidgremlin
I wonder what the CDN costs look like for storing all these "deleted" images?
Can't be cheap.

