Facebook images open to access
ANY Facebook image, no matter how strong the privacy settings, can be publicly accessed, security experts have warned.
The social networking giant is flexible with how images are shared -- a member can send a URL containing images to others who can then view the photographs without being a Facebook user.
People don't realise that they don't have to be logged into Facebook to view photographs, according to Pure Hacking chief technology officer Ty Miller.
However, this was a business decision made by Facebook and not a technical issue, Mr Miller said.
The unauthorised access of privacy-protected photographs on Facebook will continue unless the social networking giant decides to close the loophole, according to Mr Miller.
"It is a (business) choice that Facebook has made that has led to this vulnerability ... they have accepted the risk," Mr Miller said.
Facebook receives hundreds of thousands of image requests per second. Third-party content delivery networks (CDNs) can save costs and speed up delivery times.
But the problem lay in a business decision made by Facebook not to have strict access controls on CDNs, Mr Miller said.
"It's a design decision made by Facebook to go that way," he said.
CDNs are not exclusive to Facebook and are used by most social networking sites. But Facebook by far has the largest user base.
Mr Miller said that if Facebook didn't use CDNs, it would have to invest hundreds of millions of dollars in infrastructure to satisfy its 500 million members.
He said Facebook's access control issue was well-known in the security community.
"Web access control is a common vulnerability and this is not a new issue with Facebook. It has been the case for some time," Mr Miller said.
He said it was up to Facebook to "lock it down" and secure the CDNs to protect people's data.
He reminded users not to post images or information online if they didn't want people to find them.
"Users definitely have a false sense of security. This vulnerability is a security breach and an invasion of people's privacy," Mr Miller said.
He said programs to secure Facebook URLs can be downloaded from the internet.
The security issue resurfaced after a Fairfax journalist was detained in Queensland for publishing a story on an alleged Facebook security breach.
Ben Grubb had published a story on the SMH website on Tuesday describing how IT security expert Christian Heinrich could access privacy-protected Facebook photographs without being the member's "friend".
The demonstration was conducted at an IT security conference on the Gold Coast and Mr Heinrich based his test on photographs posted by the wife of Chris Gatford, a rival security consultant.
Mr Heinrich claimed that he guessed the URL of the photo by using a computer program.
Mr Grubb was released after a 90-minute inquisition where his iPad was confiscated. Mr Heinrich has yet to be contacted by police.
Facebook declined to comment on the police investigation directly.
However a Facebook spokeswoman said the company took security "very seriously and we are looking into this matter".
"We have numerous protections to prevent attacks in which people attempt to guess the URL of a photo hosted by our content delivery network (CDN)," she said.
"For example, the URL of each photo includes a random secret key that has millions of permutations.
"We of course do not disclose all of our protections to protect their integrity,” the spokeswoman said.
She said Facebook was "always working on ways to improve the user experience and actively working on building additional protections".
"We work with many security experts and we have a responsible disclosure policy and encourage well-intentioned security researchers to contact us when they find a vulnerability."
She said security researchers could work with Facebook to correct a vulnerability and Facebook gave credit to people who helped find and fix real vulnerabilities.
- Gordon's blog
- Login or register to post comments
