The Register® — Biting the hand that feeds IT

Feeds

Facebook security hole exposes Paris Hilton's . . . um, pics

A week after Facebook executives introduced new security features to great fanfare, a glitch on the popular social networking site has exposed private pictures of Paris Hilton to anyone with an internet connection. The Associated Press, which broke the story, was able to use the same, er, hole to view Italian vacations, office …

This topic is closed for new posts.
Martin
Paris Hilton

what i can't quite understand

is why the hell you'd want to?

J-Wick
Paris Hilton

Try 4chan...

I would, but I'm at work, and would like to remain so.

http://www.4chan.org

Only click the link if you're not faint of heart, and have no web filter (or can clean it out afterwards)...

Finally - an appropriate use for the Paris icon!

Anonymous Coward
Paris Hilton

Where's Paris Hilton angle?

Paris Hilton because I can't find my coat.

Daniel B.

Ah, the Web 2.0 "Security"

... I'd bet the "security" in question would be simple JavaScript checks, and no server-side checking.

Typical for apps that don't factor in security from the beginning. Its like those sites with the easily circumvented "disableRightClick()" functions, or the "password protected" sites using only JavaScript. Oops!

My favorite ones are the ones that overlap phony invisible images over the "real" one, so right-clicking and saving the image gets the fake one... only for me to fire up my local proxy and get the *real* URL for the pic. (Or check the HTML source.)

But then, this is Facebook we're talking about, what should we expect from this?

Colin Morris

Bingo!

So.. we have the Paris Hilton angle..... check....

and we have the IT angle...... check....

HOUSE!

..... I'm off to the cloak room right now...

no Paris icon because......

Anonymous Coward
Anonymous Coward

yeah

4chan.org or 7chan.org /r/equests board (not random for ----s sake)

Phil Rigby
Paris Hilton

You'd think she would learn her lesson...

...after the Sidekick fiasco. I wonder if her password is still the name of that rat terrier dog?

Anonymous Coward
Anonymous Coward

When I read this...

All I could do was just laugh. Web 2.0, no thanks, I'll wait for the book & web 3.0, because your biggest proponents suck... Bitch!

Wyrmhole

Re: Ah, the Web 2.0 "Security"

Actually, there is no security at all. If you know the URL of a photo or a photo album (private or public), you can see it without even logging in. I'm not sure whether it should be called a security hole or a feature-by-design.

Anonymous Coward
Anonymous Coward

paris hilton is not a meme

1) Start Facebook

2) ????

3) Profit

Matthew Ward
Paris Hilton

A few weeks?

This has been about a fair bit longer than a few weeks... I remember being able to use this hack quite a few months ago, when people I knew would send me links to photos on Facebook where I wasn't friends with the person concerned (who either took or featured in the photo). Just presumed it was a feature of Facebook so to speak (security through obscurity) as opposed to a gaping security flaw, which it apparently now is.

In reference to an earlier post, I just think there was no particular checking (server-side or javascript) for photo.php at all. It just served up whatever ID you gave it, assuming the user was directed to the URL from a legitimate, internal source.

Martin Budden

@ Anonymous Coward

2) Sell for mucho cash in 2007... doh!

Vic
Coat

Oh dear

I've been looking at people's private pics for ages probably. If one of your friends comments on some other random person's photo it will pop up on their feed - you just click and scroll through the whole album. I actually kind of assumed till now that the pics weren't actively designated private but it was just that I wasn't 'friends' with that person and so I couldn't access their stuff by 'normal means', ie through their prorile....ouch, maybe they are... I think I should disable comments on my pics then...

There are so many privacy holes in this it's pretty insane. Makes you almost want to believe the stories....the making of it seems to have been a bit of a one-hit wonder. I guess there's always real one-hit wonders though, maybe we're only allowed one really good idea each. There's bands like that as well...Milli Vanilli, uhhhh....

(Seriously showing my age here, lol)

Nic
Boffin

Image URLS can be direct

But a nice clean way is to use mod_rewrite and pass them through a script.

I typically setup something like:

www.site.com/pics/x/y/id.jpg

Where x = width, y = height and id is the db reference to the image link or similar. The whole thing is mod_rewritten to an image handling engine like PHP Thumb but with the inclusion of user security so you can tell unauthorised users to go stick it.

Easy peasy.

/ducks waiting for abuse from someone that knows better.

Anonymous Coward
Anonymous Coward

Surely not so much a security flaw as a privacy issue?

As it says in the title. We shouldn't be suprised, the whole point of Facebook is to surrender your privacy anyway.

Anonymous Coward
Boffin

Erm, excuse me but...

If it's a "private" picture, why post it to a public site?

Luke Wells

Why would you?

Why would you upload your "private" photos to the internet? Anything you upload to a webserver anywhere should only be things you dont mind other people seeing.

madra
Heart

@vic

<camp american voice>

leave... milli... vanilli... alone.... [sob!]

</camp american voice>

Nic
Flame

@Luke Wells and others

Well if the site tells you it will keep the images private then I don't see why you wouldn't/shouldn't.

Webservers are used for lots of Private data. On-line banking anyone!?

You CAN make data secure and private on a webserver. What you absolutely shouldn't do is claim privacy when there is none or what is there is badly written. This does so much damage to consumer confidence.

Mostor Astrakan
Paris Hilton

Private Data....

Your private data does NOT belong on a machine owned by someone else, no matter how much the pushers of those machines are imploring you. Private data you keep on a machine that YOU own, and can turn off if need be.

Facebook can legally search for, look at, disclose or delete any picture that you choose to upload to their site because it's THEIR computer. Just because they can, doesn't mean thet should, of course, but the safety-conscious Internaut keeps his/her cards close to his/her chest, especially if that chest is the subject of much public interest.

Social networking sites are really great for bringing home to people that the normal English vocabulary (i.e. "Private", "Friends", "Security") do not mean on the Internet what they mean out there in the wetworld.

Paris icon for obvious reasons...

Paul

Facebook

I dont know why people join it anyway. I set up an account a few weeks ago so that I could view a friends wedding photos. I set up an account under my name, but everything else was blank or a lie, and the email address was one of my throw away hotmail ones I use for signing up to anything I don't trust (like hotmail :-)). Oh, and I put one note on it for people to read, saying "I will not be using this account. Please don't try to contact me here as you will get no reply and will think Im being rude. Im not, I just think that my conversations are mine, and so are my Pics, not Facebooks".

Now Im getting every person I have ever met wanting to be my friend. Im glad to know (again) I was doing the right thing. Now If they would just Fuck off and stop filling my inbox with Junk.

Steve
Thumb Down

Mostor

See post previous to yours with online banking destroying your argument.

I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc... Much of it is accessible via the internet for my convenience, but it is secure (I hope) by design, rather than written in a script kiddies language that is difficult to secure if they'd even thought about it.

Ken Hagan

@Steve @Mostor

"I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc..."

Me too, but I'd wager firstly that none of them have pictures of your privates and secondly that they are all based within the same legal jurisdiction as you so if they mis-use it or lose it then you can sue *their* privates off.

(The UK's NHS IT backbone might break both rules of course. But any fule can see that it's a really bad idea.)

Anonymous Coward
Unhappy

There is a way to combat this

We have started a Facebook group called "Facebook does not care about my privacy". Join Facebook and then join that group, and together we will send them a strong message about how important privacy is to us.

Kenny Millar

Stupid users.

You posted photos to an internet site. Of course they're gonna be public, regardless as to any so called security the site promises.

When will people learn that there are no locks and bolts on the net.

Bob H
Stop

Simple

Never put anything on a social networking site you wouldn't discuss with or show to friends in a busy pub.

Guns don't kill people... people kill people.

Mostor Astrakan

@Steve

"I have plenty of private information maintained by various companies, solicitors, banks, insurance companies, etc..."

Well yes, agreed. But what I was thinking of was the folly of putting your unmentionables on a publicly-available website like Facebook, MySpace and LiveJournal. Those things are designed specifically to rape your privacy and bomb you with unwanted cruft. I moved my witterings^Wblogging from LJ to my own server in the wake of a number of liberties LJ seemed to be taking with people's writings. I never was on the others. I'm Too Cool For Facebook/MySpace. Don't think I'm bragging. Things live in my rain water barrel that are too cool for MySpace/Facebook.

Banks and insurance companies are not allowed by law to disclose, say, your saldo or what kinds of policy you have. (Unless a Bigger Law shows up). Which is not to say that they don't mess up occasionally, so there is still some kind of risk involved.

Anyway, since I'm at work, I haven't looked at these Paris pics yet - are they actually worth looking at or are they the usual Paris-Hilton-seen-through-the-Hubble-telescope-with-her-top-off that the Sun willingly pays thousands for?

This topic is closed for new posts.