Re: Facebook Image Privacy

[Vincent Hoffman <vince () unsane co uk>]

Larry Seltzer wrote:
> I recently blogged about something interesting in Facebook privacy
> (http://blogs.pcmag.com/securitywatch/2010/01/is_facebook_privacy_a_sham.php
> - hat tip to F-Secure): If you upload an image and set the permissions
> to “Only Me” it gives you a publically-accessible URL through which
> anyone can access the image.
>
>  
>
> A Facebook employee entered a comment that said that only the user who
> posted the image gets that URL from them, so therefore it’s private.
> The URL
> (http://www.facebook.com/photo.php?pid=4722564&l=c56ff5065a&id=675398046
> <http://www.facebook.com/photo.php?pid=4722564&l=c56ff5065a&id=675398046>
> for example) isn’t especially obvious, although the last
> “&id=675398046” is my user id, which is public in Facebook.
>
>  
>
> The URL may not be obvious, but it’s on a publically-accessible site
> so it’s at least a little cheesy to call it private.
>
>  
>
> What do you think?
Nothing terribly new.
http://www.lightbluetouchpaper.org/2009/02/11/new-facebook-photo-hacks/
Looks like they have changed the url scheme for the the CDN now so it
might be harder to see any other photos in the album, but the CDN is
still serving the photo even though the facebook.com link doesnt work
any more so i guess the retention issue still exists.

Vince
>  
>
> Larry Seltzer
> Contributing Editor, PC Magazine
>
> larry_seltzer () ziffdavis com
>
> http://blogs.pcmag.com/securitywatch/
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.