This is a guest post by Joseph Bonneau. Joseph Bonneau is a researcher at the University of Cambridge Computer Laboratory whose research interests include privacy and security in social networks. He originally reported these vulnerabilities on his group’s research blog, Light Blue Touchpaper.
Facebook has a spotty track record enforcing the privacy of photos posted by users and designated as private. Up until last February, Facebook’s photo security relied on users not being able to craft custom PHP queries, instead of checking login cookies with every photo request. It was only a manner of time before this was hacked in a fairly spectacular way in February 2008, exposing a few personal photos of CEO Mark Zuckerberg. The “temporary flaw” was fixed, only to be hacked again in March, and again in May. The Associated Press picked up the story, Paris Hilton’s name got involved, and Facebook was forced to re-work their photo security and prevent these PHP-style hacks.
Recently, however, I’ve been poking around Facebook a bit as part of my ongoing research on privacy into online social networks, and I found a new set of problems with Facebook’s photo security. Facebook photos have URLs like http://www.facebook.com/photo.php?pid=34947682&id=210132, which include a photo id and a user id. A year ago, clicking on this link would show you my photo because Facebook didn’t check your login cookie if you knew the photo’s URL. This was the theme of last year’s hacks. In the current implementation, though, the login cookie is always checked against the photo’s access control list, so clicking on that link won’t work unless you’re one of my friends. Facebook encourages users to send out these “public photo links,” and they are posted all over the web.
Unfortunately, Facebook doesn’t actually host all of its own images, they rely on third-party content delivery networks like Akamai and LimeLight Networks to efficiently serve photos around the globe. If you examine the the HTML for a Facebook photo page, you’ll see the image is hosted at an address like http://photos-c.ak.fbcdn.net/photos-ak-sf2p/v646/41/83/210132/n210132_34947682_4899.jpg. Note the .ak subdomain in the URL, this is a clear sign that Akamai is being used, which can of course be confirmed easily using a tool like traceroute.
This direct link will give you access to the photo from the link I posted above. It doesn’t matter if you are not one of my Facebook friends or even if you have a Facebook account, this is a simple HTTP get request with no cookies at all. The photo server doesn’t check your login cookies for two reasons. First, it’s more efficient to host photos on a special-purpose, blazingly fast photo server which doesn’t have to worry about parsing PHP parameters and verifying login cookies. This kind of thing matters when you are hosting billions of photos. Second, since the photos are hosted from the domain “fbcdn.net” instead of “facebook.com,” your browser won’t send your Facebook cookies to the photo server. This is the “same origin” policy which is fundamentally built into web browsers, and is an essential feature to protect your privacy. It’s actually being used correctly here too, in that Facebook is preventing its third party photo servers from having access to your cookies from the main site by hosting them from a separate domain.
The problem though is that now the confidentiality of a photo is reduced to its URL being difficult to guess. It sure seems to have a lot of randomness to it, but you’ll find you can remove most of that; the link http://photos-c.ak.fbcdn.net/photos-ak-sf2p/210132/n210132_34947682_4899.jpg will work just as well. You’ll also notice that now three of the four numbers present in the link are the photo ID and user ID that were listed in the original “public link” to the photo as hosted within Facebook. The only thing to guess is the final 4 digits, which effectively serve as a PIN. This is the part that Facebook flubbed, we know from the history of ATM security that four digits provide far from enough randomness to prevent brute-forcing. In fact, by simultaneously querying the many servers mirroring the same photos, it’s possible try all of the 8999 possibilities in about 2 minutes.
Things get even worse, because once you have found one photo’s PIN, it is much easier to guess the PIN for the next photo from the same album. This is because the PINs are generated using a timestamp instead of a proper random number generator, a classic security mistake which has been known about for decades. I’ve coded up a script and been able to extract dozens of restricted photos from some of the public links floating around the web. Ultimately, these problems aren’t catastrophic and will probably be fixed by Facebook within a few weeks, but we can add them to the pile of security vulnerabilities on Facebook.
There is a disturbing pattern I’ve seen across many social networks in which functionality is added before the security details have been worked out, with predictably insecure results. This approach isn’t surprising for smaller social networking sites without the revenue to spend on proper security engineers, whose services are very expensive. Facebook, on the other hand, is a multi-billion dollar company which is trying to establish itself as a mature and stable platform. Amateurish mistakes like this shouldn’t be happening.
![[Inside Social Apps 2012]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/ISA2012_336x100_F_RegisterNow.gif)
![[AllFacebook Stats: Facebook Analytics for Your Business]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/stpro_allfacebookstats.gif)
![[How can Facebook change your business?]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/FMB_A_MAY2011_336x100_F.gif)
So we should really be careful on what we post on the internet/facebook as this may be used against in a totalitarian future.
Comment by Facebook User — February 23, 2009 @ 5:26 am
So we should really be careful on what we post on the internet/facebook as this may be used against US in a totalitarian future.
(edited, sorry)
Comment by Facebook User — February 23, 2009 @ 5:29 am
It always come down to the same rule of thumb: if there's something you don't want the whole world to see, don't upload it to Facebook.
Comment by Tom — February 23, 2009 @ 5:46 am
Nice find
Comment by Ken Warner — February 23, 2009 @ 6:08 am
NOT ONLY THIS: but even if you DELETE A PHOTO it STILL REMAINS AVIALABLE via direct links like the one you describe.
Don't overlook this huge problem!
Comment by Mary — February 23, 2009 @ 7:12 am
Better yet, if there's anything you don't want the world to see, don't store it on your hard drive, but external media.
Comment by Dan Lowe — March 1, 2009 @ 4:58 pm
I think Facebook has changed the URL to photos now, but this still works for old photos.
Comment by Mark — April 5, 2009 @ 9:50 pm
"Dear Facebook Team,
on 18/10/2009 my account has been disabled by an operator, because I used too
functions on my Facebook account.
I leave you my contact details to verify my account:
- My account has been registered in an e-mail and is: ENZO85FORZANAPOLI@LIVE.IT
- My name as it appears on Facebook was FERRENTINO VINCENZO
- My date of birth: 24/02/1985- My system network was Italy
- E-mail address originally associated with my account: ENZO85FORZANAPOLI@LIVE.IT
- A link (URL) to my profile on Facebook was:
http://it-it.facebook.com/VOSTRAURL
I wait your noticies."
Comment by VINCENZO — October 18, 2009 @ 1:32 pm
I think this way to access still works today!
Getting the URL can't be simpler: right click the photo and click "copy image URL"
Comment by gxg — December 28, 2009 @ 10:02 am
I have tried a number of times by changing my setting to everyone to show my photos, but yet again everyone still cannot see my photos !!
What is wrong ?? I have only been on facebook a couple of months and I am already starting to dislike, as facbook has always got something wrong with it!!
Comment by alison — January 22, 2010 @ 8:09 am
Funny how the one comment which has the most feeble link to the topic is posted by a girl…
HW DO I UPLOWD PIKTUR Y WUN IT SHO????
Comment by Zippy — February 10, 2010 @ 6:18 am
Nice Article…
Comment by Aditya Perdana — March 1, 2010 @ 6:24 am
Nothing is safe on the net
Comment by Anonymous — March 17, 2010 @ 7:28 am
Wow.
can we or can't we take a pic we find on the web of someone we know and place it on our facebook page? Yes or no? I have a photo of my sons step mother on my page and her sister tells me i have ot remove it or they will take me to court. is this true?
so I can have the pic but not the name?
or I can put their full name up but not theri photos that I find on the internet?
Marie_M009@live.com
I really don't get what the rule is on just that.
Comment by BrycesMother — August 7, 2010 @ 9:26 am
Thank you for sharing this, now the facebook team will fix this so their is no way to view a privet profile, why don't you just keep this to your self.
Besides anyone who uses facebook should NOT be aloud to have a privet profile. If you want to keep something privet don't upload it in the fist place, that is the safest.
Isn't that the risk you take when you use the internet, and website like this?
Comment by Justin — December 29, 2010 @ 12:25 pm
Out of all of the comment's yours makes the best scene.
Comment by Justin — December 29, 2010 @ 12:27 pm
I am building a Facebook app that uses peoples' photos, and I was amazed when I discovered this vulnerability. Honestly it made building the app a lot easier. We let people choose photos to download to our site and then we make them into a collage that they can print. If the photo server checked a cookie, we would have had to find a way to send this cookie along with a curl request.
It seems like Facebook could fix this gaping security hole without too much trouble, and without inhibiting photo requests from api calls. All they need to do is only allow direct requests to photos from facebook.com. That would account for probably 95% of photo requests. The remaining 5%, cross domain api calls mostly, would have to go through an authentication system (maybe oauth), and the request originator would have to send a valid access token to the server in order to get the pictures.
This would make it so that only 5% of photo requests caused an extra workload.
Comment by Dan Polant — February 13, 2011 @ 8:56 am
If someone sends you a public link like http://a8.sphotos.ak.fbcdn.net/hphotos....
is it possible to see more from the same album ?
Comment by Dean — July 10, 2011 @ 10:56 pm
pandora silver gold beadsPandora BraceletsPandora Bracelets salePandora NecklacePandora Necklace chainPandora Necklace with charmsPandora Silver Charms salePandora Silver Charms cheappandora silver charms
Comment by Pandora Necklace — July 13, 2011 @ 5:39 am
It's safe for facebook links out.
Comment by Mens Gold watch — September 22, 2011 @ 10:28 pm
That works if you can view the Facebook image to begin with…. so things like someone on your friends list getting pissed at you, or you leaving your account logged in on a shared machine, can compromise your photos to a broad audience that way. They can just copy the image URL and share it with the world… and once it's out there, you're never getting it back.
But he's talking about finding Facebook.com photo URLs and simply *generating* the actual image URL without having access to the person's photo album at all… which is even a bit more scary.
Comment by Ironica — November 11, 2011 @ 1:34 am