This was indeed a bug, and shouldn't work any more. We turned off the system that lets you report content through this flow (and thus made this bug's code inaccessible) as soon as we became aware of the issue.
In the future, if you find a security / privacy bug on Facebook, feel free to report it via our whitehat program, which will get things looked at more quickly than random blog posts. You can get credit for the find and even make money with bug-bounty payouts: http://www.facebook.com/whitehat/.
For what it's worth, a few people were alluding to this meaning that we don't check privacy by default. In fact we do have a pretty robust default-deny system for running privacy checks. This was an edge case where it was forced to work in a way that was incorrect.
Where XX and YY can be found by watching the net request made when clicking the initial Report/Block button.
That said, I'm not sure if it is returning private photos, or just photos that are public - possibly you guys have fixed it on this side, not just the front end having links to it, but figured I'd mention it in case not.
Thanks, we'll take a look. In the future you should use https://www.facebook.com/whitehat/ though, as I unfortunately don't catch every HN comment :-).
Figured there was a good chance you'd already know whether that has been patched and only gives results for non-private photos or not, so seemed a potentially easier option :)
It is great that you have a page specifically for reporting security issues. For some companies I had to resort to reporting security issues to the main contact address where it landed at some first-level support guy's desk who had no idea what to do and in the end I gave up and the security hole stayed open.
One thing though: Your bounty of $500 is quite low. I bet this whole incident did/does a lot more damage than that. And to be honest, if I had the choice between $500 and trolling Mark Zuckerberg by posting his private photos album online, I would probably chose the latter option (sans the posting a howto on a forum part).
Disclaimer: I am not a security researcher, I don't even look for vulnerabilities. I just sometimes stumble upon bugs and get curious what other side-effects this bug might cause.
Glad you like it! $500 is actually just the base bounty - I've seen payouts for quite a bit more depending on how nasty the bug is.
At least for me personally, it's not the posting of one person's private photos that is most frustrating - it's public posting of repro instructions so that script kiddies can exploit a bug. That just seems irresponsible.
Knowing about your special page for reporting privacy holes would not change my decision to post it here. I think more good will come when media picks it up and some Facebook users realize that a company with your record of terrible privacy decisions and incompetence should not be used for posting anything private or even at all. If you were a startup stretched for resources or if this hole could've been exploited to install malware, I'd of course attempt to contact you first. $500 for reporting security holes for a company of your size is also insulting, BTW.
The idea with responsible disclosure is that you want to maximize safety of the public by incentivizing vendors to fix problems while not letting malicious actors exploit them: http://en.wikipedia.org/wiki/Responsible_disclosure. Once the vendor has fixed the flaw (or refused to, or taken longer than a reasonable time to do so), it's generally accepted as OK to publish details. You can of course get whatever media coverage you want at that point.
I'm curious - do you think responsible disclosure is a bad idea? Or is the "badness" of this bug small enough (compared to malware) that you think it's better for the common good to publicly post the repro instructions and enable many users to exploit it?
I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.
Ah, just realized you're the OP. I don't think there's anything particularly irresponsible about posting an already-public disclosure to HN or other aggregators. It's the first person posting it publicly without first privately disclosing that I find irresponsible.
> I think having a bug bounty program is actually a lot better than the vast majority of sites / vendors that don't even have a whitehat [aka responsible] disclosure program, let alone a bug bounty program. It's worth noting that this is just the base bounty - I've seen us pay out a lot more for good discoveries. $500 is also the base that Google and Mozilla offer for their programs (http://googleonlinesecurity.blogspot.com/2010/11/rewarding-w..., http://www.mozilla.org/security/bug-bounty.html). What would be a good price, do you think? I'm not hooked in enough to know what black market prices are like for bugs like this.
This was a couple of years back, so maybe the attitude has changed, but... The last time I reported a security problem to Facebook, I got an email warning me about my online activity, telling me that my account might have been hacked, and that my password had been changed as a result. Several weeks later the problem I had been trying to report was still there. I've heard similar experiences from several other people - so even though this guy looks like he was being irresponsible, I personally will no longer report security problems to Facebook because I don't feel like it would get taken seriously, and will probably only inconvenience me further. I'm not sharing this to flame Facebook, I just would honestly like someone on the inside to know this is a problem. I never knew about the whitehat link because all I see on the Help page is targeted towards victims that probably don't know what they're doing.
Shoot, sorry to hear that. I think our attitude has always been pretty good, but the communications channels a few years ago were just not great or easy to find (it sounds like you were stuck on a "my account was hacked" workflow).
Feel free to respond here or let me know if you ever run into similar issues with the whitehat program (hopefully you'll change your mind about no longer reporting security problems!).
Well like you said, with an explicit whitehat program, I do think that improves things a lot. The main problem was that I didn't know what to do to not come across as the enemy and/or a nuisance. Next time I find a problem - I'll give the whitehat route a shot - so thanks for sharing.
I don't think we post any details about the exploit, just the fact that someone reported it (see https://www.facebook.com/whitehat). Of course, once we've fixed the bug, the reporter is free to write about the exploit, how long it was live, etc.
I think what the OP is trying to say, is that Fackbook (as the custodian of our private data) should make available a list of resolved exploits such that we may be aware of potential data leaks.
Eg - up until today, and for who knows how long, photos you thought were private may have been accessed by undesireables.
http://www.facebook.com/ajax/report/social.php?
__a=1&
__d=1&
attach_additional_photos=1&
cid=((FBID))&
content_type=0&
h=((HASH BASED ON YOUR ACCOUNT))&
phase=6&
report_id=1&
rid=((FBID))
After you get that initial hash then you can swap out the CID and the RID and get everyone else (I tried it for 3)... it's pretty easy.
This issue is probably going to make mainstream news by noon.
I tried to follow this url format by using Chrome Developer toolbar after clicking on "report this photo" of a non-private photo to extract my account hash id, rid and cid of the interested person. It's a GET according to Developer tool.
I get this however,
for (;;);{"__ar":1,"error":1357006,"errorSummary":"Don't have Permission","errorDescription":"You don't have sufficient permissions to do that.","payload":null}
Sorry just got up ... anyway ... I got it through Firebug and was able to reproduce it in a FireFox Tab, so I assume it was a GET, although it may have been a POST; I didn't cURL the URL from outside the browser though; I'm sure you need cookies.
That seems to be true only of certain URLs. For instance, if it's all one long, encoded string follow by _a or _s then changing a or s to n produces the full-size image. However some thumbnails aren't formatted in this way and as far as I know can't be (easily) resized to full. Someone please correct me if I'm wrong.
Edit: it appears this same char is available in both URI formats I was referring to, so yes, full-size images are exposed.
To get the full, full size image try changing from _n to _o. I haven't checked it on the links exposed by discussed method (I'm going to work in a minute), but it's how "Download" link for photos works on normal Facebook photo browser - if you upload a high-resolution picture to Facebook, it's available with _o in the name.
[quote]
right click
inspect the image
copy url in another window
change the 'a' to 'n' (the last one right before jpg)
=fullsize original image
[/quote]
This is a security hole and nothing more. Developers make mistakes. This is not some vast conspiracy by Facebook to undermine your privacy. Why, of all places, is HackerNews unable to comprehend this?
If you see a comment that makes it sound like there's a vast conspiracy, please post in reply to that comment. I don't see any such comment. HN appears to be comprehending just fine.
No. This shows that Facebook has no robust security model at all.
Either they do not have any mandatory access control for private data, or someone approved of circumventing such access control measures for this feature.
Both is in my opinion inacceptable for a company holding so much potentially sensitive data.
One example of a hole does not make a bucket into a sieve.
For a company of FBs size and personal data contents, I agree, they have a rather scary track record. But saying <symptom of X> implies <X> is fallacious, especially when it's also a symptom of <AAA> through <ZZZ>.
A security hole is where some attack vector within the code is overlooked (ex: injection attacks, overflows). A negligent feature is one where the steps to exploit the service were put in explicitly.
What one does this fall into?
At some point a developer coded in a resource that bypasses any privacy data, had it approved by management/coworkers (not sure what model they use) and published it live. I'm certain many people have been exploiting this longer than that forum post existed.
Honestly? I'm willing to chock this up to a mistake. A reasonable series of circumstances for this would also be that they missed a single permissions check on an otherwise private-only method. It's probably a single line of code, and one that exists in thousands of other places, surrounded by at least hundreds of other lines of code. An easy thing to overlook.
That's not how security should work. The default should be no-access, so that missing a line of code or making a small mistake leads to too much restriction rather than not enough. That would also help the developer notice the mistake, since the feature wouldn't work.
Agreed, but you'd be hard-pressed to find any site that has that as the standard (much less a social site, with so many inter-weaving connections), that isn't crammed down their throat by laws. Even then it's still hard to get (and keep) it correct 100% of the time, and stands in the way of making changes and new features, which are what keep social sites alive and competitive.
I think it's a stretch to call this "just" a mistake. First of all, there isn't any malicious code that has to be run to execute it, it's a simple as clicking a few buttons in the UI.
Secondly, Facebook is a site with hundreds of millions of users managing billions of private photos. With the amount of revenue & number of developers they have, it's inexcusable that they can't think through a simple process like this without considering what happens if two users aren't friends.
Granted, they're probably not "trying" to undermine privacy. But they're doing a very poor job at maintaining it.
I'm downvoting you for saying I think it's a stretch to call this a mistake
If it wasn't on purpose, it was a mistake. Period.
It might be inexcusable, as you later pointed out, but it was still unintentional. Everyone likes to hate on Facebook. If this was a YC startup, I suspect people would be more forgiving.
That's true, if it was a group of three young people starting a new business, I would be more forgiving than about a multi billion dollar corporation with hundreds of engineers and millions in resources.
It was a mistake, but another word for a mistake is 'negligence'. The fact that something like this can happen illustrates systemic shortcomings at the company. Millions of people are depending on them to enforce the privacy restrictions Facebook claims to enforce. Facebook encourages you to store highly personal data, and as such, they have a responsibility to be more careful. Facebook prides themselves on constantly pushing changes to their software. More safeguards, testing, and perhaps slowing down the software development cycle a little would not be a bad idea.
Fair enough, I mean to say 'what you may call a mistake, I call negligence'. A pattern of making gross errors adds up to negligence... or incompetence.
I think the problem is that calling it a mistake downplays the issue. I'd say this is grave negligence, because besides the feature itself, it shows a lack of access control systems.
> If this was a YC startup, I suspect people would be more forgiving.
Evidence to the contrary: the Dropbox security fiasco (which sounded worse but was resolved in hours with claims of no malicious activity) prompted several HN entries. HNers aren't so biased as to be blind to inexcusable negligence (esp. because a large majority of us are users of those services and have personal stake.)
Facebook has a history of such "mistakes", a founder who thinks FB users are "dumb fucks" (and has reportedly maliciously used FB's password log), and all the motive in the world to be "negligent" as it's a way they can make money (as long as we don't find out).
The foolish thing to do is to assume this is still a mistake after repeated history of such "mistakes".
aammm... you omited the word 'just' which archio stressed.
Sure, if you take away THE important word of a sentence, then you might as well downvote it.
'a mistake' puts this at the same level of seriousness as other problems. This is at least a big mistake.
I think people know that this is a mistake. But it shouldn't have happened. Facebook is a massive, wealthy company that has many many programmers. Bugs like this should not have happened, considering that privacy is one of the biggest media problems Facebook has.
There is a lot of muscle memory to overcome here. It's like Jeffrey Dahmer accidentally killing someone. You can't blame people for jumping to conclusions.
Is Facebook not hiring some of the most talented developers in the industry? This is a ridiculous mistake that should have been tested for prior to production.
No. I went to school with someone who now works at Facebook. To describe him as "most talented" at anything would be a mistake. However, he did have no regard for others or their work.
This is a little too meta... I tweeted that (that's me!) but the link to Zuck's photos was found further down in the comments here on HN. That's where I saw it.
One of the images is of the last paragraph of the FTC page about Facebook where readers are invited to Like the FTC on Facebook. Background: http://news.ycombinator.com/item?id=3291909
I wonder if the FTC will follow through on the settlement and fine Facebook $10,000 for each violation? There's a dozen or so photos of Zuck, so that's $120K already ...
I'm a little skeezed out at having looked at these photos at all, but "name that liquor" will apparently (in borderline cases like this) trump my principles.
It's not nasty but it's a drink that's blended to taste reasonably bland, designed for drinking alcohol not designed for enjoying the taste. Its target market is people who don't want anything particularly interesting.
Don't get me wrong, it's much nicer than a £20 bottle of blended stuff, but nowhere near good enough to justify the price tag, and is the huge majority of scotch drinkers (at least a huge majority of those who buy by taste not price) would rate a much cheaper single malt over it, yet alone an equal-costing bottle.
Don't get me wrong, when I get given a bottle I enjoy drinking it, but not as much as the bottles I spend £30-£80 on, yet alone the bottles I spend more on. So that's personal opinion, but it's shared by most people who have drunk and enjoyed a decent range.
So from what I get good blended is more expensive than good pure/single malt?
I have never been able to appreciate blended as much as I appreciate pure malt, but my sample is really limited. My favorite so far is Glenlivet 18 years.
Exact comparison is of course subjective, but I would prefer JW Blue over the cheapest of single malts, but I no-where near 10x as much. And, I would rather buy a £25 of Glenfiddich 12yo (picked because it is available, in my experience, in pretty much every supermarket and bar in the UK), even if the JW Blue was the same price.
So, good blended is more expensive than as-good single malt - indeed, it is also more expensive than great single malts. The only bottles I'll buy more than once are ones I personally consider great, and for me that's rarely less than £50 and never more than £500.
But, really, price isn't equatable to quality even within a category. You can't say that a £100 bottle will be twice as good as a £50 bottle, nor even that it will be better. The reason for spending more on a bottle is not that more expensive is better, just that, the wider your price range, the more options you have - and naturally, some of the more expensive bottles are better than some of the cheaper ones, and visa versa. If I couldn't afford it I could be perfectly happy with a lower top-end, and actually my second favourite bottle right now does cost around £50.
Two things to note: as with anything subjective, anyone can have a completely different opinion. Some people may genuinely love the JW Blue, enough to justify its cost. Most people who drink it don't, and they either haven't tried nicer whisky, or they are fooled by the price into deciding how good it is without paying attention to the drink itself, or (often) they don't really want to be whisky drinkers, and are doing it for the image not for the taste. But just because the majority are like that, doesn't mean there aren't people who, for their own tastes, are correct in loving it.
Also worth keeping in mind than JW Blue is notorious for being overpriced, don't think of it as representative of blended whisky. There are even nicer drinks in the JW range itself, and Blue is, at least by price, the top of their standard range. Green, for example, is considered by many to be nicer than Blue - not just better value, but nicer ignoring price. (I disagree on that, but at £30 it certainly is much, much better value.)
JW Blue is not whisky makers thinking "how can we make the best scotch", it is businessmen thinking "how can we market this", the drink itself is an afterthought.
edit: Personally I will always think single malts are much, much more attractive. But, blends can be good. JW, instead of trying to play with the blend to create an interesting and unique drink, tries hard to create a bland drink, with no interesting notes, a drink that will be acceptable rather than amazing to as many people as possible. It's not that they tried and failed, being smooth and boring is the purpose of the drink.
edit2: Am I just going on way too much about this?
Just a quick note though that if you're opening up the field to whiskey in general, the people who find Johnnie Walker especially drinkable are probably better served by moving to a more drinkable whiskey category in general. Bourbon is as forward as I get these days, and I strongly strongly prefer rye. Either option is bound to be much cheaper than Blue Label, and if you read up on (say) Bourbon and get a little spendy (but not Blue Label spendy), some of the bottles out there are revelatory.
(I say as I tuck into some Black Maple for an evening of Rails dev).
I've literally never tried a good Bourbon - just cheap, cheap stuff when out drinking in America, never tried anything that's supposed to be really nice.
I used to have the scotch-snob assumption that it must, but I've had enough people whose opinions I value call me an idiot. I will at some point give a few a go, but just haven't got round to it yet.
Personally I would always chose a single malt, and as such I'm not an expert in blends. That said, plenty of people tell me that blends can be pretty good, so I try not to judge them too much - although truthfully I do think of them worse objectively as well. A great blend might be better than a poor scotch, but I think the worse and best of blends are lower than the worst and best of scotches.
Granted it's pompous but if you're going to spend the money a single malt is probably a good investment. Stop by a quality store and they'll be able to pick one out to fit your tastes.
Funny how something like this is originally posted on a body building forum. I think the first reports of the recent Penn State scandal were posted there too (around a year ago.) Who would have thought that's where you'd first find such things?
The Misc is probably my favorite general forum on the internet. Suprisingly-high level of discourse and genial atmosphere for a forum dedicated to lifting weights. HN would be pretty impressed with the number of engineers and entrepreneurs there as well :)
If that doesn't prove that FB's developers aren't thinking about security, I don't know what would. Nobody who is in a culture of protecting security would even consider building this.
No, it's surely just a mistake. No one made an affirmative decision to skip "privacy". What happened is that whoever added the "select more images to block" feature somehow did it in a way that skips the normal access checks.
If there's a goof here, it's that the framework they've built apparently doesn't make the privacy controls mandatory. Developers have to remember to "turn them on" by calling an access control predicate or whatnot. That's bad. That's dumb. But it's not malicious.
I doubt that's way this happened. More likely, the person who implemented the "inappropriate photo"-feature wasn't fully aware of that the "Report"-functionally was enabled for everyone and not just your friends.
However, someone had to implement the backend for listing out those photos, and they clearly didn't think of access control, so there's at least something fishy here…
It's not the first time either. Very similar breach of privacy happened when they implemented "view my profile as ..." functionality. You gained access to the private data of the user you were simulating.
This isn't even a security hole, it's a complete security disaster. Did they even think through the process for five minutes before they built that? I mean, there aren't even any hacks involved.
I doubt law enforcement would see it that way. Downloading photos with this method is not much different than guessing somebody's email or voicemail password; you're accessing something you're not supposed to.
It goes as far as is reasonable. The law gets interpreted in a court of law by human beings that make decisions about whether a reasonable person would expect that to be private and the intent of the person that found the images anyway.
It is not enough for purposes of these laws to accidently or
unintentionally wander into areas on the internet where valuable
or secure information may reside. If one enters such an area
using computers or computer technology, his/her intent must be
to steal, destroy or defraud to be found guilty of a crime.
For example, David Kernell was convicted of "misdemeanor computer intrusion"[1] for accessing Sarah Palin's Yahoo! email.
Given Facebooks history at accidentally or intentionally making 'private' material quite public, what would a reasonable person expect? A well informed one, anyway.
Facebook is an excellent personal marketing tool. However, I think at this point you'd have to be a fool to put material on it you want to be private. Of course, what PT Barnum said....
I wonder whether this is limited to photos in the profile album, or whatever it is called, these days.
EDIT: I'll add this suggestion that I've made before, since you're going to have a LOT of people wanting to delete photos, if this problem proves to be significant. Delegate someone to spend a few hours writing a routine that will replace a cached photo with an identically sized, all white (or black, blue, whatever), no metadata generated image. So, you don't have to rebuild your image caches in order to ensure that a photo is really gone (well, except for the fact that it once existed, as demonstrated by the working URL and white image).
I've read the excuse made in the past that aggressive, large, integrated image caches made actual photo deletion "not an option". As long as you can overwrite existing bits in place, this should solve that. (Although I don't know about all the tagging you've now since overlaid onto the images.)
I haven't kept up, but IIRC that used to be the case. And that's what I'm addressing.
A few years ago, I believe, they explained that they generate these ginormous image caches where, IIRC, individual images are not distinct files.
My point is, regardless, if you can find the image (and its extent), and if the cache data are still write-able, then overlay a generated "blank" image onto the cached image, in place. You still have some data leakage, in that the working URL confirms that there was an image having that URL. But for most cases, I believe this would suffice.
I guess they'd also have to track down and overwrite the various thumbnail versions, but if their systems can already find these in the course of their normal work, this shouldn't be a problem.
As for overlaid tag data and whatnot, I'm not sure what to suggest. At a first pass, I'd suggest just deleting (or "offlining" or whatever, given that FB apparently never really deletes anything) that data. But I don't know what continuing dependencies that might break.)
EDIT: I should add that I don't know whether/how such image caches are replicated. And perpetuating such an overwrite against multiple replications might not be easy / something the existing design supports.
Nonetheless, I think it's something they should support. At a minimum, when a user really wants to delete an image, then overwrite its segment of whatever image cache file with a "blank" equivalent.
Although... then you get into what may be legally required and/or prudent, from FB's perspective, to retain.
I'll stick to the simplistic user perspective: When I say delete, I mean delete.
Maybe that was true in the past, but today when you delete your data it is gone. Trust me, I wrote it myself. The law enforcement guidelines that have been circulating recently corroborate this.
I deleted a couple of pictures this morning (nothing 'nekkid' ;-) and will have a look to confirm that they are indeed "gone" (inaccessible via direct URL -- albeit the URL of a CDN).
Would you happen to have the identity or URL of a specific guideline that you could point to?
EDIT: I just checked the URL of an image I deleted about an hour and a half ago, and that image is still accessible. It is under akamaihd.net; nonetheless, it is still accessible.
Is this true for all data - account details and whatnot? I deleted (not deactivated) my account a few months ago and just assumed everything would remain somewhere in FB's system.
It would seem based on the screenshot ("Message x to ask them to remove the photo...") that they must have specific permissions set to cause this to work as I can't replicate on people that I can't message.
I disagree. You can message people that you aren't friends with. See the first screen shot ("add her as a friend or send her a message").
I think the reason it only works on some profiles it that perhaps the profile pictures are the only ones that it will show you. And some people only have one profile photo. (This is an untested theory / guess.)
The more often this happens, maybe the more normal people will understand that anything put online should be considered to be public. The illusion of the walled garden eventually comes down, either through a vulnerability, policy change, or simply user error.
Don't do it, kids. You'll find photos of that girl you pined for 2 years after you never made your move and she's way more fun and in way better shape than you ever guessed. It's rough to ruin the fantasy, but torture to augment it.
In the future, if you find a security / privacy bug on Facebook, feel free to report it via our whitehat program, which will get things looked at more quickly than random blog posts. You can get credit for the find and even make money with bug-bounty payouts: http://www.facebook.com/whitehat/.
For what it's worth, a few people were alluding to this meaning that we don't check privacy by default. In fact we do have a pretty robust default-deny system for running privacy checks. This was an edge case where it was forced to work in a way that was incorrect.
(I work at Facebook, but not on this system.)