25 March 2008

Insecure Facebook Photos, and Sometimes, Insecure Networks

By Tony Ruscoe & Philipp Lenssen

Private Facebook photos were exposed to the public through a simple URL edit, Associated Press and ReadWriteWeb report. The hole is now apparently closed. Similar cases have appeared before on other sites with photo hosting and sharing, like MySpace and SmugMug.

Furthermore, as we found out, with a little workaround anyone can see what we understand is intended to be an employee-only Google network. Once in that network, you can then also view e.g. photos and profiles which the Google employees have flagged to be seen only by members of that network, or read along the network’s discussions. (There are currently 8,529 members in the Google network.)

We alerted Facebook and Google security of this today (it’s somewhat hard to define which of the two companies is responsible for this security issue) and can reveal details once they had some time to fix it. Note the workaround may or may not be applicable to other networks; it depends on the network. The safest option until it’s fixed may be to temporarily leave private networks, or perhaps choose some other option to make a profile more private.

Labels: , ,