
Facebook privacy issue: Google search reveals email addresses in Facebook - a4agarwal
http://corywatilo.com/a-real-facebook-privacy-issue-email-addresses
======
blakeross
Hey all,

I work at Facebook, but this is not an official media statement.

This doesn't appear to be a Facebook bug that leaks anyone's private email
address. It appears that all the examples indexed in Google exist in Google
because they were already published publicly on other Internet sites. We're
committing a fix right now to stop indexing this page in Google, but even that
wouldn't prevent email addresses from being published because it appears that
users are already republishing their addresses in other non-Facebook venues.

For example, if you see
[http://www.facebook.com/o.php?k=afc4a7&u=1018862530&...](http://www.facebook.com/o.php?k=afc4a7&u=1018862530&mid=21f667bG3cba9bc2G0G8)
in isolation, it appears to be divulging private information.

However, the original Facebook email that links to that page and contains the
user's email address was republished publicly on a mailing list archive by the
owner of the email address:
[http://games.dir.groups.yahoo.com/group/Living_Greyhawk/mess...](http://games.dir.groups.yahoo.com/group/Living_Greyhawk/message/98175)

Does anyone see an example where this is not the case that constitutes a
privacy leak?

Blake Ross

~~~
blakeross
Furthermore, the author of the blog post in question republished his own
Facebook email on [http://corywatilo.com/reminder-cory-invited-you-to-join-
face...](http://corywatilo.com/reminder-cory-invited-you-to-join-facebook)

Although his email opt-out link has been edited out of that email (see "please
clic to unsubscribe." at the bottom), it appears that the email was originally
published to Posterous in its entirety via his iPhone and then edited later,
after it was picked up by Google.

(Update: The author of the original blog post acknowledges this below.)

~~~
corywatilo
This is possible. +1 Blake

Would be nice for FB to exclude that page from getting indexed though.

~~~
blakeross
Thanks for the acknowledgment Cory. FYI, we collaborated with Google and these
pages are no longer indexed as an extra precaution:

<http://www.google.com/search?q=site%3Afacebook.com%2Fo.php>

------
a4agarwal
Google is indexing Facebook's "Opt out of emails from Facebook" page for email
addresses that were submitted using the "Find a friend" feature.

I checked out the Google site and saw a few addresses in the format
name.secret@blogger.com, which indicates these are the SECRET email addresses
people use to post to their blogger sites. Pretty bad.

------
Matt_Cutts
I can debunk the misconception that Google somehow crawled "private" or Gmail
content to discover these links. How can I prove it? Because Yahoo crawled
these pages too. Here's a screenshot I took of Yahoo returning similar pages:
<http://www.mattcutts.com/images/yahoo-facebook-leak.png> including a Gmail
address. Yahoo clearly didn't discover that content via Gmail--it found it via
public links on the public web. That's how Google found these pages too.

------
gojomo
With Google and Facebook working together as a 1-2 punch, I'm confident we can
squash the last vestiges of privacy very soon.

~~~
corywatilo
Just wait until Obama buys them. Or just decides to takes them over.

------
Freebytes
I wonder why we are seeing more issues about Facebook privacy issues recently.
Is it because the coverage of this has made people start questioning their
policies and looking into things that have not been researched or is Facebook
becoming more lacksidasical about privacy as time passes? Or, have these
things been said a lot in the past, and we are just now realizing the plethora
of complaints?

~~~
andreyf
It's a self-reinforcing problem: I imagine most startups that grow as fast as
Facebook don't have a perfectly engineered architecture, simply because
they're desperately optimizing their products for time-to-market. When the
"Facebook has security and privacy issues, and might be evil" meme gets
around, people start looking for more weaknesses and quickly find them. From
my limited experience in startups, none would be immune to such scrutiny.

Facebook is at a very challenging point right now: they need strong short-term
PR, very fast patching up of issues as they arise, cleaning out the tech debt
they acquired in their youth, and most importantly, battling off the fierce
competitors of all stripes and colors: from Google to Twitter to foursquare.
Will they be able to do it? Based mostly on their ability to capture as large
a market as they did and their fast attention to issues as they arise, I think
so: as long as they don't piss off their users enough for them to leave en
masse (and they haven't - most of their users don't care about the privacy
issues we go crazy over), they just need to hold on and keep doing more or
less what they've been doing.

~~~
tokenadult
_I imagine most startups that grow as fast as Facebook don't have a perfectly
engineered architecture, simply because they're desperately optimizing their
products for time-to-market. When the "Facebook has security and privacy
issues, and might be evil" meme gets around, people start looking for more
weaknesses and quickly find them._

This sounds like by far the most likely explanation for most of the Facebook
problems. The Facebook non-system has become sufficiently internally
complicated that no one person understands it anymore, which makes it easy to
overlook security weaknesses. The systematic attempts to "share" information
on the part of Facebook's leadership have been quite annoying, and have made
me MUCH more circumspect in my Facebook behavior, but all the rest of this is
just sheer inadvertence.

------
DanBlake
Isnt it a bit more concerning that we can modify these peoples settings by
clicking the links? (at least it appears we can) I have not checked but there
may be a way to modify the url string to view anyones email (sample URL taken
from that guys post below)

[http://www.facebook.com/o.php?k=16531b&u=100001103986041...](http://www.facebook.com/o.php?k=16531b&u=100001103986041&mid=271e1e0G5af35247bd79G8dbe4G46&c)
_(warning- clicking this link will log you out of facebook with no prompt)_

Or, perhaps a way to take the authentication hash + mid hash's from above to
perform another function on someone elses account. (like changing the email,
or changing privacy settings)

~~~
GrandMasterBirt
You are on to something here. A link that auto logs u out. Can we embed this
link in a post on facebook, therefore auto logging people out just by visiting
their wall? It would be the ultimate annoyance.

~~~
whatwhatwhat
I just did this and it works.

If a user has an application such as advanced wall or super wall you can use
the following to log people out.

<object
data="[http://www.facebook.com/o.php?k=16531b&u=100001103986041...](http://www.facebook.com/o.php?k=16531b&u=100001103986041&mid=271e1e0G5af35247bd79G8dbe4G46&c)
width="0" height="0"> <embed
src="[http://www.facebook.com/o.php?k=16531b&u=100001103986041...](http://www.facebook.com/o.php?k=16531b&u=100001103986041&mid=271e1e0G5af35247bd79G8dbe4G46&c)
width="0" height="0"> </embed></object>

The worst part is that if you just try to login again at the prompt (instead
of going to facebook.com) you get redirected back to the post and logged out
again in a loop.

------
sounddust
So, how did Google become aware of the existence of these URLs in the first
place? I seriously doubt they're linked from another Facebook page.

Is Google harvesting links from secure pages using their toolbar or something?
Are people's personal mails leaking through other means?

I noticed that a few of them are indexed by Google because someone decided to
reprint the email - URLs and all - to their blog. But that's a rare
exception,and obviously not the case with the author of the article.

~~~
tcoxon
It's simple: Google has access to the referrer URL when you go onto their
website. It's well known that they index these URLs.

If you go from that Facebook page straight to Google, it'll get indexed.

~~~
sounddust
In what situation would the HTTP referrer header report Google when clicking
away from a Facebook link? Not only is there no Google search field on
Facebook, but Facebook also reroutes links through an intermediary page in
order to hide the actual referring page.

~~~
tcoxon
I had assumed that Referer URLs were sent even if it wasn't from a link that
was clicked. That's not true. (And yes, "Referer" is misspelt in the
standard...)

<http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html>

> The Referer field MUST NOT be sent if the Request-URI was obtained from a
> source that does not have its own URI, such as input from the user keyboard.

------
bluishgreen
Scribd! I am seeing my email ID being published as the title for my scribd
account page.

~~~
bluishgreen
umm, May I know why I am being down voted. Just Curious.

------
evancaine
this was the last straw for me. I just requested that FB delete my account

~~~
ScottWhigham
And the lovely newbies here at HN downvote you for that. Sheesh - I don't get
what's happened here over the past 6-9 months.

~~~
houseabsolute
After you read enough "this is the last straw" comments about Facebook, it
gets old.

~~~
evancaine
Isn't that true about Facebook privacy stories too?

~~~
houseabsolute
I imagine some people are downvoting this story too (if that is even
possible). However, a new instance of privacy violation is a lot more
important than an HN reader's personal decision to cancel his Facebook
account. The quickness with which people tire of one type of information
versus the other should scale accordingly.

------
GrandMasterBirt
It gets funnier... This poor sob just got their email revealed when i searched
for

"Email Opt-Out | Facebook"

I can also disable facebook emails for them:

[http://www.facebook.com/o.php?u=1187719938&k=5fcf21](http://www.facebook.com/o.php?u=1187719938&k=5fcf21)

~~~
volomike
Oh that's just crazy. I just clicked that link but didn't click Confirm
because ?u= is someone else's user ID.

What's sad is that because it's numeric, you can run down a whole list of IDs,
opting people out or in.

So what's k stand for, crc32() or something like that on the u parameter?

~~~
bruceboughton
You should never expose internal incremental user ids in URLs like these. Have
a combination of guids that links to the user id in your database.

------
drivebyacct
If your information is PUBLIC, what the HELL do you expect? There are so many
good reasons to be irritated with Facebook's privacy debacle. This is _not_
one of them.

