Why private Facebook photos aren’t so private
By Tom Brewster,
Facebook photos with access controls on them will not keep a photo truly private, IT PRO has learned.
By simply right clicking and selecting ‘copy image location’ on a photo, anyone can then paste the URL to share it with unauthorised users, even those not on Facebook.
“If Tom decides to share a photo with Betty and only Betty, Betty can in fact share that photo wherever she pleases without Tom knowing by simply right clicking on the photo and copying the address or image location,” an anonymous source explained to IT PRO.
We tested the theory on Facebook and found the source's claims to be true.
The source suggested the findings indicated Facebook image servers are not encrypted.
The source also hypothesised a hacker with untoward intent could upload a variety of photos to their own account, examine the URLs and work out the server and file naming systems.
A hacker could then develop a script to generate various combinations, search for files, download and spread them, the source suggested.
"On Facebook we have numerous protections to prevent guessing of attacks on photos. For example, each photo includes a random secret key that has millions of permutations," a Facebook spokesperson told IT PRO.
"We of course do not disclose all of our protections to protect their integrity."
The spokesperson noted users can copy and paste any photos they have access to from any website and send it to whomever they want.
"This is exactly the same action as copying and pasting the content delivery network URL, which functions the same way on many major websites including Flickr, TwitPic and Picassa," the spokesperson added.
"While this practice is standard across many sites, we are always working on ways to improve the user experience and actively working on building additional protections."
Graham Cluley, senior technology consultant at Sophos and regular commentator on Facebook, said it was “pretty bad form” from the social network to have photos viewable by people without permission.
“The fact that you can see ‘private’ photos when you're not even logged in to Facebook suggests that they simply haven't grasped what privacy is all about,” Cluley told IT PRO.
“Only Facebook users who are logged in and authorised to view specific photos should be able to see the photos.”
The issue is a potentially serious problem for Facebook, which has come under fire for its handling of privacy in the past.
Just this week, Facebook seemingly carried out a u-turn on a feature that would let app developers access users’ mobile phone numbers and addresses.
The social networking giant said it was going to update the feature to ensure users only share their data when they intend to do so.
Last year, Facebook updated its privacy settings after it was heavily criticised by various groups.
During the summer of 2010, Privacy International went so far as to send an open letter to Facebook calling for the social network to make significant changes.
One call the group made was for Facebook to provide users with control over every piece of information they can share, including photos.
It seems users do not have total control over how their images can be used just yet.
You may also like...
Sponsored Links
advertisement
You may also like...
Latest Security Analysis & Insight
What is your password worth?
Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.
- Macs under attack?
- Intel: security inside
- Are you spending too much on IT security?
- Does the government want to snoop on your data?
- Eurocrats versus the cyber criminals
- The truth about spam
- Google and privacy: What’s the problem?
- Q&A: Symantec’s CISO on the source code hack
- RSA: Back from the breach?
Latest Security Reviews
Check Point 2210 Appliance review
Rating: 
advertisement
Most popular
- UK regulator shuts down Angry Birds scam
- Apple iPad 3 vs iPad 2 head-to-head review
- IBM bans use of Siri on iPhones
- Chromebooks: What's gone wrong?
- HP plans massive job cuts
- EMC World 2012: Tucci declares Documentum is here to stay
- Dell EqualLogic PS6100XS review
- Macs and Android under malware threat
- RIM loses its head of sales
- Local fibre broadband needs common standards
Latest News Videos in Security
IT PRO Podcast: Are UK data protection laws flawed?
PlayWe bring in two experts to talk about the problems with UK data protection law and the way it is managed.
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
Photos & Privacy at Facebook
Thanks for this article, Tom. You've touched on a subject that's very dear to me. I want to start my saying that our job isn't finished (and will never be). We'll continue to adopt the best practices in this space and there's always more that we can do. That said, I don't believe you completely explained the challenges here.
I'm going to touch on three of them:
1) Friends Sharing Photos
When you share a photo with someone, that person can do whatever they want with it. That's just a fact of life. There's no way for you to mail someone a postcard and ensure that they're the only one that's going to see it. There's also no way for a photo to appear on someone's screen while preventing them from redistributing it.
Even encryption won't help, because once you share the photos we have to decrypt them. To not decrypt the photos means that nobody (not even yourself) can see them! And, once your friend has access to the unencrypted photo it can be easily passed around. They could either just copy and paste the photo into an email, or take a screen capture and share that. All modern operating systems support the screen capture functionality...
But let's say, for the sake of argument, that we *destroy* your friend's computer after she sees the photo. What's to prevent your friend from just *telling* others what was in the photo? Or taking a picture of what's on the screen and passing that around? Or drawing a picture? Wouldn't all that be just as bad?
My point is that once you've shared a photo the cat's out of the bag. Encrypting the photo or hiding the photo CDN URL doesn't give your friend access to anything she doesn't already have. For that reason it's important to share your photos with the people you trust.
2) File Naming scheme
Understanding the Facebook CDN photo naming scheme will not give a hacker access to any photos. In fact, Flickr even describes their CDN photo naming scheme on their website: http://www.flickr.com/services/api/misc.urls.html
3) Could a hacker develop a script to search for files?
Just like on Flickr, a hacker could iterate through millions of possible permutations to find a photo. However this would be a time-intensive process. By my rough math, it'd take about a year to "brute-force" an individual photo on one computer. That's comparable to the average amount of time it'd take to "brute-force" a login to most bank websites.
Despite this, we've taken (and will continue to take) a number of additional measures to detect and stop this malicious behavior.
Thanks,
- Sam Odio
Facebook Photos Product Manager
By Sam_Odio on Friday Jan 21
Comment formatting stripped?
Since all formatting in my comment below has been stripped (making it unreadable) I'm reposting my reply here: http://sam.odio.com/2011/01/25/facebook-photos-and-privacy/
By Sam_Odio on Tuesday Jan 25