With Facebook Privacy, Everyone Means Everyone - Social Media SecuritySocial Media Security

With Facebook Privacy, Everyone Means Everyone

“Security through obscurity” refers to the idea that content can be kept safe by making it hard to find rather than inaccessible without authorization. Many photo hosting sites use complicated URIs for uploaded pictures, making it very unlikely anyone would simply stumble across a particular picture by entering a random address. End users may think such a setup is reliable enough to keep their content private.

However, security researchers routinely criticize the notion that obscurity provides much security at all. Hidden content is often more easily found than people may suspect. Even if finding the content may not seem obvious, tricks often exist to work around a system’s obscurity and gain even targeted access to resources.

Case in point: Facebook’s photo albums. For years, the default level of access on new albums has been “Everyone.” Up until this week, many Facebook users apparently paid little attention to their privacy settings, and while someone could theoretically access a public photo album, the likelihood of someone guessing a legitimate album ID for a particular user seemed remote. Although many people (including this blogger) had pointed out that albums could be accessed given the file name of one photo within the album, that still required more knowledge than most would-be photo hunters would have.

But as Facebook has rolled out their new privacy model (a story I’ve not covered here as it’s been well documented elsewhere, and I’ve been posting relevant links on my Twitter), users are suddenly taking note of who can access what on their profiles. In an ironic turn of events, Mark Zuckerberg’s personal photo albums became easily accessible after the privacy switch. It’s likely Zuckerberg had set his albums to “Everyone,” but until now the list of albums was not included on someone’s profile unless you were their friend.

In the past, developers used Facebook’s API to access public albums for non-friends, but Facebook shut off that functionality. After the Zuckerberg story, Facebook apparently removed users’ photo album lists from the profiles of non-friends, once again resorting to a security through obscurity approach.

Once again, though, the new behavior has a simple workaround. Create a new web page and insert an inline frame with this URI: http://www.facebook.com/ajax/profile/tab.php?id=USERID&v=photos&iframe=true Replace the “USERID” part with a Facebook user’s ID number. Load your page and view the source of the iframe. You’ll see a block of HTML encoded within some JavaScript, and embedded in that HTML are links to the user’s photo albums that you can access. Note that loading the Facebook URI directly will not work – you must use an iframe.

I have no problems posting this as I’m not foiling any of a user’s privacy settings or somehow working around Facebook’s access restrictions. This trick only exposes albums that you can access based on the albums’ privacy settings. Of course, many Facebook users may be surprised to see which of their albums can be accessed by non-friends this way.

The lesson here is that on Facebook, “Everyone” really does mean everyone. Take the time to check all of your privacy settings and make sure nothing is set to “Everyone” that you wouldn’t want the entire Internet to see.

In fact, many would argue that you shouldn’t post anything on Facebook that you don’t want the entire Internet to see, since despite Facebook’s many privacy settings, much of your content has long been accessible via Facebook applications – and security issues with applications are well-documented.

Does that mean you should never use Facebook? At some point, we have to live our lives, and that always includes risks. The key is awareness – think about what you’re posting, understand the ramifications of your privacy settings, and stay current with changes in online security and privacy. Those steps are some of the most important in protecting your identity.

Update: As with API access before, Facebook issued a patch some time in the last five hours that blocks the trick I described for accessing public albums. Honestly, this doesn’t make much sense, since the albums are marked for “everyone.” If anything, it trains users to rely on security through obscurity.

Amusingly enough, while Mark Zuckerberg’s albums are still accessible by URI (according to reports, he made them public on purpose), some of the other Facebook employee albums that I had previously accessed are now inaccessible – meaning the album owner may have been trusting in security through obscurity until now as well.

Update 2 (12/15): At present, a slight adjustment to my previously posted trick once again enables access to a user’s public albums. Adding the parameter &__a=1 to the end of the old URI once again loads the album links (e.g. http://www.facebook.com/ajax/profile/tab.php?id=4&v=photos&iframe=true&__a=1 for Mark Zuckerberg’s albums). The parameter &sb= can be used to access multiple pages of albums (“sb” seems to be set to multiples of 4 or 5). Please note that you still need to use the iframe setup I described earlier. Anyone interested in further details or a demonstration can e-mail theharmonyguy via Gmail.

Keep in mind Facebook may block this version of the trick at any time. However, as I noted before, this only provides access to albums which users have marked as being for “everyone,” and thus should not even be required in the first place. If Facebook truly wants to make sharing content easier, why not simply provide a list of public photo albums on a user’s profile? The issue here is not a problem of privacy, but user expectations. Facebook has trained users to accept default settings on photo albums while thinking they’re not easily accessible. Making the albums hard to find gives an illusion of privacy and only delays any rude awakenings that may come from users who have inadvertently shared private photos.

Update 3: I may have spoken too soon last week; I just tried using the URI without &__a=1 and it still worked. Perhaps there was simply a glitch before when I thought the trick had been blocked.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark


Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS



Email