I work at Facebook, but this is not an official media statement.
This doesn't appear to be a Facebook bug that leaks anyone's private email address. It appears that all the examples indexed in Google exist in Google because they were already published publicly on other Internet sites. We're committing a fix right now to stop indexing this page in Google, but even that wouldn't prevent email addresses from being published because it appears that users are already republishing their addresses in other non-Facebook venues.
For example, if you see http://www.facebook.com/o.php?k=afc4a7&u=1018862530&... in isolation, it appears to be divulging private information.
However, the original Facebook email that links to that page and contains the user's email address was republished publicly on a mailing list archive by the owner of the email address: http://games.dir.groups.yahoo.com/group/Living_Greyhawk/mess...
Does anyone see an example where this is not the case that constitutes a privacy leak?
Although his email opt-out link has been edited out of that email (see "please clic to unsubscribe." at the bottom), it appears that the email was originally published to Posterous in its entirety via his iPhone and then edited later, after it was picked up by Google.
(Update: The author of the original blog post acknowledges this below.)
Would be nice for FB to exclude that page from getting indexed though.
Thanks for following up. My personal email address is indexed, but is nowhere else on the internet. Shoot me an email at firstname.lastname@example.org and I'll give you the address.
Can you see my response below regarding Posterous?
Also, it does appear that your email address is available on the Internet, e.g. http://groups.google.com/groups/profile?enc_user=nBw3lBQAAAA...
The point is that Facebook should be responsible for protecting their own indexing vectors.
Plain and simple.
No they don't. Plenty of people have multiple email addresses forward to one account. Showing the email address helps, and it's harmless unless people post the link somewhere else on the internet.
I checked out the Google site and saw a few addresses in the format email@example.com, which indicates these are the SECRET email addresses people use to post to their blogger sites. Pretty bad.
Facebook is at a very challenging point right now: they need strong short-term PR, very fast patching up of issues as they arise, cleaning out the tech debt they acquired in their youth, and most importantly, battling off the fierce competitors of all stripes and colors: from Google to Twitter to foursquare. Will they be able to do it? Based mostly on their ability to capture as large a market as they did and their fast attention to issues as they arise, I think so: as long as they don't piss off their users enough for them to leave en masse (and they haven't - most of their users don't care about the privacy issues we go crazy over), they just need to hold on and keep doing more or less what they've been doing.
This sounds like by far the most likely explanation for most of the Facebook problems. The Facebook non-system has become sufficiently internally complicated that no one person understands it anymore, which makes it easy to overlook security weaknesses. The systematic attempts to "share" information on the part of Facebook's leadership have been quite annoying, and have made me MUCH more circumspect in my Facebook behavior, but all the rest of this is just sheer inadvertence.
When the world's second largest site allows you to monitor the private chats of 400 million people - when it leaks your IP address to other people via e-mail for no reason - and now when it's leaking people's e-mail, then it's a big deal.
That's not even taking into consideration the privacy issues that were not bugs.
I still have these mails in my inbox. People who I've never met nor conversed with online in my life.
And whether it's sensitive depends on the context. Revealing one's IP reveals their location, and I can think of many cases in which this is sensitive information.
Unless someone knows exactly how the internet works, getting their IP address via social engineering is trivial. Facebook's behavior was not a big deal, though fixing it was a positive thing.
This is an actual privacy bug.
(warning- clicking this link will log you out of facebook with no prompt)
Or, perhaps a way to take the authentication hash + mid hash's from above to perform another function on someone elses account. (like changing the email, or changing privacy settings)
If a user has an application such as advanced wall or super wall you can use the following to log people out.
<object data="http://www.facebook.com/o.php?k=16531b&u=100001103986041... width="0" height="0">
<embed src="http://www.facebook.com/o.php?k=16531b&u=100001103986041... width="0" height="0">
The worst part is that if you just try to login again at the prompt (instead of going to facebook.com) you get redirected back to the post and logged out again in a loop.
Is Google harvesting links from secure pages using their toolbar or something? Are people's personal mails leaking through other means?
I noticed that a few of them are indexed by Google because someone decided to reprint the email - URLs and all - to their blog. But that's a rare exception,and obviously not the case with the author of the article.
I suspect Google found these pages by scanning the directory structure of facebook, indexing all pages in these subdirectorys, and finding more subdirectories to drill in to.
Maybe somebody accessed those pages using the Google toolbar, in that case Google could have known about those pages even if they were not linked from any other pages elsewhere.
URLs and embedded information
Some of our services, including Google Toolbar and Google Web Accelerator, send the uniform resource locators (“URLs”) of web pages that you request to Google. When you use these services, Google will receive and store the URL sent by the web sites you visit, including any personal information inserted into those URLs by the web site operator. Some Google services (such as Google Toolbar) enable you to opt-in or opt-out of sending URLs to Google, while for others (such as Google Web Accelerator) the sending of URLs to Google is intrinsic to the service. When you sign up for any such service, you will be informed clearly that the service sends URLs to Google, and whether and how you can opt-in or opt-out.
For example, when you submit information to a web page (such as a user login ID or registration information), the operator of that web site may “embed” that information – including personal information – into its URL (typically, after a question mark (“?”) in the URL). When the URL is transmitted to Google, our servers automatically store the URL, including any personal information that has been embedded after the question mark. Google does not exercise any control over these web sites or whether they embed personal information into URLs.
We process your requests in order to operate and improve the Google Toolbar and other Google services. For example, by knowing which web page you are viewing, the PageRank feature of Google Toolbar can show you Google's ranking of that web page. And the Sidewiki feature can tell you if others have written Sidewiki entries on a given page. Likewise, by processing the text on a web page, SpellCheck can offer spelling suggestions and AutoLink can provide useful links to information.
If you go from that Facebook page straight to Google, it'll get indexed.
> The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard.
If there were no privacy debate re facebook going on right now I expect this would have stood up on it's own anyway.
"Email Opt-Out | Facebook"
I can also disable facebook emails for them:
What's sad is that because it's numeric, you can run down a whole list of IDs, opting people out or in.
So what's k stand for, crc32() or something like that on the u parameter?