Posted by theharmonyguy in Facebook | 2 comments

Facebook Knows What You Did Last Summer

Pardon the creative title. In working on accessing Facebook photo albums lately, I noticed that one of the stories on Mark Zuckerberg’s privacy settings mentioned that he’d removed his events from his profile. After finding a way to view public photo albums, I wondered if I could find a way to pull up a user’s public events. That pursuit taught me a little more about Facebook’s privacy settings, and also raised another aspect of Facebook privacy I’d not previously considered.

At first, I followed the same approach as with photos – I tried to make special requests that imitate what happens when you click on a tab in a user’s profile. Doing so brought up no event information for Mark Zuckerberg, but did for a friend of a friend. It turned out this behavior could actually be controlled by a user’s privacy settings. However, the setting may not be where you’d expect – it’s on your application settings page. Facebook treats their events module as an application, and in the settings for the Events application is a field controlling who can see the application. Setting it to “Only Friends” blocks the trick I was using if you’re not the person’s friend; I’m guessing the same setting for the Photos application would block the bookmarklet I posted.

But while Events does appear in the application settings page, it’s not your average application. I knew that the Facebook API included commands for requesting event data. I loaded up Facebook’s API Test Console, set the method to events.get, and put in a user ID.

What came up surprised me – a complete record of practically every public event that user had been invited to. Note that this was not a friend of mine. I could easily filter by whether they had RSVP’d that they were attending the event.

The list only includes “open events,” (Update: “Closed” events are also visible, just not “secret” events) those that are publicly accessible. But the results reminded me of the controversy over Facebook’s original News Feed – while the feature didn’t expose any new data, it made it much easier to access. I’m guessing most Facebook users do not realize you can pull up a list of all the public events they’ve attended so easily.

Also, any application that a user authorizes also has access to secret events a user has been invited to, since the application operates on behalf of the user.

Seeing years of events come up when I put in my own Facebook ID was a wake-up call for me. I handle event requests routinely, but hadn’t really ever given thought to the fact that Facebook has stored all that information – and makes it accessible to others (for public events) and applications. It’s one more aspect of privacy that Facebook users may want to reconsider.

Posted by theharmonyguy in Facebook | 16 comments

Easily View Hidden Facebook Photo Albums

Update

I’ve now posted a new way to view hidden Facebook photos, and the updated code provides access to all available albums. Please see the post “New Trick to View Hidden Facebook Photos and Tabs” for further information and to update your bookmark.

Original Post

In a previous post, I noted that Facebook had removed access to photo albums for any user not your friend. Soon after Facebook rolled out new privacy controls, some users noticed that they could view anyone’s photo albums marked visible to “everyone,” most notably a few from Facebook’s founder, Mark Zuckerberg. Soon after those reports, however, it appeared that the albums were no longer available, as “Photos” tabs disappeared from public profiles and visiting photos.php simply gave an error message.

But as I described, access had not been cut off – Facebook had simply made the albums harder to find. This practice, known as security through obscurity, can mislead users who think their hidden content is safe from prying eyes. To prove my point, I gave directions on how to load the public photo albums of any given Facebook user.

Those directions were a bit technical, however, and I wanted to make the point more obvious. After working through more Facebook code, I came up with a bookmarklet (a bit of JavaScript you can store as a bookmark in your browser) for viewing public photo albums. Bookmark this link, or copy the code below. (Tested in recent versions of Opera, Firefox, and Chrome.)

javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)');document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(‘POST’,'http://www.facebook.com/ajax/profile/tab.php’,true);x.send(‘id=’+ProfileURIController._profileId+’&v=photos&__a=1′);})()

Once you’ve saved the link, simply visit someone’s public Facebook profile, then load the bookmarklet. It will replace the body of the user’s profile with a list of links to public albums, if any are available. The results are not formatted well, and only include the first page of albums, but the code works enough to at least demonstrate that public albums are not as well-hidden as you might expect.

I’ve browsed through some random profiles, as well as some more prominent Facebook users, and I think many would be surprised by how many photos I was able to access through this trick. Note that this code does not circumvent privacy settings in any way – it simply makes visible albums you can rightfully access but that Facebook has hidden from view otherwise.

At some point, users who have followed default album settings in the past and left many photos accessible to “everyone” are in for a shock when they realize the implications of those choices. I personally think it best for them to realize that now instead of later, which is why I decided to release this technique.

Posted by theharmonyguy in Facebook | 1 comment

Positive Developments from Facebook

A few months back, I recall security analyst Kevin Johnson musing that the security community often hears negative stories about hacks and vulnerabilities, but rarely does one see positive reports about the times when security works and black hats fail. I thought about this during the Month of Facebook Bugs, when I came across one application (My City) whose ASP.NET framework blocked my XSS attempts stone cold.

While it’s no secret that I don’t always see eye-to-eye with the leadership of Facebook, I wanted to take this post to give them a few shout-outs instead of critiquing. Amid all the negative reports about Facebook decisions, I have seen a few developments I find encouraging.

First, Facebook has taken action against deceptive advertisements and ad networks that harvest application credentials to access user information. While I’ve argued that some of these steps were long overdue and that Facebook could have done even more, I’m grateful that they did something and that they cracked down hard on credential hijacking.

Second, one of the main responses I’ve advocated for application problems is simply to better educate developers, and I would say that Facebook has done a much better job emphasizing security issues recently. (I’m not taking credit for the change, simply applauding it as a move I endorse.) Last month, Ryan McGeehan (Facebook’s manager for security incident response) posted an official blog entry reminding developers of important security issues, providing helpful resources on the subject, and announcing a new Platform wiki article with even more information. I know from experience that Ryan is a great guy who cares about security – he patiently fielded dozens of e-mails from me in September as I relayed details on the Month of Facebook Bugs. I’m thrilled to see a security section on the main documentation site for the Facebook Platform. By the way, Facebook also has a fan page with information on security, including a section dedicated to white hats – you can get your name there if you follow their responsible disclosure guidelines.

Finally, Facebook began enforcing new, stricter Platform policies today. Among the changes, developers are now required to

Provide a link to your privacy policy in the Info section of your Application Profile page and on every page of your application.

I was honestly surprised that Facebook would require a link on every page. After seeing quite disappointing results in my study on application privacy policies this summer, I congratulate Facebook on raising the bar. Many users may not notice the new links, but a encouraging developers to establish and advertise privacy policies is a step in the right direction.

While I’m not afraid to make noise about negative trends or privacy risks I see in services such as Facebook or Google Wave, at the end of the day, it’s nothing personal. I may disagree with the developers or executives at Facebook about product architectures or content sharing, but I think we can all agree that we want to protect end users. The three steps listed above certainly help that goal, so in that regard, kudos to Facebook.

Posted by theharmonyguy in Facebook | No comments

Facebook Application Privacy Confusion Continues

Many technology journalists and privacy advocates have criticized aspects of Facebook’s new privacy controls and default settings. But I’ve noticed one aspect to the changes that I find disappointing, and thus far I’ve not seen it noted elsewhere.

You may recall that earlier this year, Facebook came under scrutiny by the Privacy Commissioner of Canada. Several concerns the Commissioner’s office raised related to Facebook applications. Readers of this blog were already quite familiar with privacy issues relating to applications, but the Canadian investigation brought them to the forefront, and Facebook responded by promising sweeping changes to their platform.

When the new privacy controls launched on my own Facebook profile, I took a look at the section for “Applications and Websites.” At first, my feelings were mixed. Facebook had finally made it clear that the checkboxes of various fields you could elect to share applied only to applications your friends used. (The previous setup was far more confusing and led to even major technology sites errantly reporting that the controls applied to applications you used as well.) But Facebook had also removed the option to exempt yourself from the Platform completely.

But then I clicked the button to “Learn More” about what I shared when using applications and web sites. I’ve long talked about the need to educate users, so perhaps this would finally clarify how much access applications have. Instead, I was stunned to read this statement:

When you visit a Facebook-enhanced application or website, it may access any information you have made visible to Everyone (Edit Profile Privacy) as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages. The application will request your permission to access any additional information it needs.

Excuse me?

At first, I thought this was simply false. The way I read it, authorizing an application gave it access to your PAI and anything visible to “Everyone,” but if the application also wanted, say, your favorite movies, it would ask you first. While Facebook has vowed to eventually roll out such a setup, it has not yet appeared and was not promised to be fully in place until fall of next year.

But then I realized what the paragraph was actually communicating. An application has access to your PAI and anything visible to “Everyone” as soon as you stop by – no authorization necessary. (This may lead to a few surprises and scares in the near future.) That last bit about requesting your permission for any additional information refers to authorizing the application. In other words, if the application needs any more data, it will request authorization – which gives it access to all of your personal data.

Some may counter that the confusion here lies with me alone, and I ought not presume that users will make the same mistake. However, given that users have already been trained to authorize applications before using them at all (not to mention whether users even distinguish applications from the Facebook brand), I’m quite certain this new paragraph will continue to produce the sort of myths I’ve seen published about the old application privacy settings. In any event, Facebook has resorted to language that could at best be described as somewhat vague.

Please correct me if you think I’m wrong, but I find the last sentence of Facebook’s new explanation very misleading. It gives the impression that applications will politely ask users for more personal details if they become particularly necessary, when in fact most people who use a given application have already authorized it and thus already given it full access to personal profile information.

After all of the controversies, studies, confusions, misstatements, and problems that have come about this past year regarding privacy and Facebook applications, and especially in light of the previous pressure from Canada, I would have thought that Facebook would take this opportunity to add a more thorough and clear exposition of what applications can access and do with user information. Perhaps I’m being too hard on their new attempt. But if the past is any indication, I expect user misunderstandings over Facebook applications to persist.

Posted by theharmonyguy in Facebook | 31 comments

With Facebook Privacy, Everyone Means Everyone

“Security through obscurity” refers to the idea that content can be kept safe by making it hard to find rather than inaccessible without authorization. Many photo hosting sites use complicated URIs for uploaded pictures, making it very unlikely anyone would simply stumble across a particular picture by entering a random address. End users may think such a setup is reliable enough to keep their content private.

However, security researchers routinely criticize the notion that obscurity provides much security at all. Hidden content is often more easily found than people may suspect. Even if finding the content may not seem obvious, tricks often exist to work around a system’s obscurity and gain even targeted access to resources.

Case in point: Facebook’s photo albums. For years, the default level of access on new albums has been “Everyone.” Up until this week, many Facebook users apparently paid little attention to their privacy settings, and while someone could theoretically access a public photo album, the likelihood of someone guessing a legitimate album ID for a particular user seemed remote. Although many people (including this blogger) had pointed out that albums could be accessed given the file name of one photo within the album, that still required more knowledge than most would-be photo hunters would have.

But as Facebook has rolled out their new privacy model (a story I’ve not covered here as it’s been well documented elsewhere, and I’ve been posting relevant links on my Twitter), users are suddenly taking note of who can access what on their profiles. In an ironic turn of events, Mark Zuckerberg’s personal photo albums became easily accessible after the privacy switch. It’s likely Zuckerberg had set his albums to “Everyone,” but until now the list of albums was not included on someone’s profile unless you were their friend.

In the past, developers used Facebook’s API to access public albums for non-friends, but Facebook shut off that functionality. After the Zuckerberg story, Facebook apparently removed users’ photo album lists from the profiles of non-friends, once again resorting to a security through obscurity approach.

Once again, though, the new behavior has a simple workaround. Create a new web page and insert an inline frame with this URI: http://www.facebook.com/ajax/profile/tab.php?id=USERID&v=photos&iframe=true Replace the “USERID” part with a Facebook user’s ID number. Load your page and view the source of the iframe. You’ll see a block of HTML encoded within some JavaScript, and embedded in that HTML are links to the user’s photo albums that you can access. Note that loading the Facebook URI directly will not work – you must use an iframe.

I have no problems posting this as I’m not foiling any of a user’s privacy settings or somehow working around Facebook’s access restrictions. This trick only exposes albums that you can access based on the albums’ privacy settings. Of course, many Facebook users may be surprised to see which of their albums can be accessed by non-friends this way.

The lesson here is that on Facebook, “Everyone” really does mean everyone. Take the time to check all of your privacy settings and make sure nothing is set to “Everyone” that you wouldn’t want the entire Internet to see.

In fact, many would argue that you shouldn’t post anything on Facebook that you don’t want the entire Internet to see, since despite Facebook’s many privacy settings, much of your content has long been accessible via Facebook applications – and security issues with applications are well-documented.

Does that mean you should never use Facebook? At some point, we have to live our lives, and that always includes risks. The key is awareness – think about what you’re posting, understand the ramifications of your privacy settings, and stay current with changes in online security and privacy. Those steps are some of the most important in protecting your identity.

Update: As with API access before, Facebook issued a patch some time in the last five hours that blocks the trick I described for accessing public albums. Honestly, this doesn’t make much sense, since the albums are marked for “everyone.” If anything, it trains users to rely on security through obscurity.

Amusingly enough, while Mark Zuckerberg’s albums are still accessible by URI (according to reports, he made them public on purpose), some of the other Facebook employee albums that I had previously accessed are now inaccessible – meaning the album owner may have been trusting in security through obscurity until now as well.

Update 2 (12/15): At present, a slight adjustment to my previously posted trick once again enables access to a user’s public albums. Adding the parameter &__a=1 to the end of the old URI once again loads the album links (e.g. http://www.facebook.com/ajax/profile/tab.php?id=4&v=photos&iframe=true&__a=1 for Mark Zuckerberg’s albums). The parameter &sb= can be used to access multiple pages of albums (“sb” seems to be set to multiples of 4 or 5). Please note that you still need to use the iframe setup I described earlier. Anyone interested in further details or a demonstration can e-mail theharmonyguy via Gmail.

Keep in mind Facebook may block this version of the trick at any time. However, as I noted before, this only provides access to albums which users have marked as being for “everyone,” and thus should not even be required in the first place. If Facebook truly wants to make sharing content easier, why not simply provide a list of public photo albums on a user’s profile? The issue here is not a problem of privacy, but user expectations. Facebook has trained users to accept default settings on photo albums while thinking they’re not easily accessible. Making the albums hard to find gives an illusion of privacy and only delays any rude awakenings that may come from users who have inadvertently shared private photos.

Update 3: I may have spoken too soon last week; I just tried using the URI without &__a=1 and it still worked. Perhaps there was simply a glitch before when I thought the trick had been blocked.