Mug Shot

Disclaimer: As much as I would love to claim I am such, I’m not a professional security researcher and only circumstance led me to find this. Also, I haven’t really looked into whether anyone has already written up about this particular privacy leak or not, and to take the time to go through the gobs of Google search results on the subject of Facebook privacy would be asking me to give up everything else for a solid week (or more). So, if you’ve already written this up, feel free to drop me a line and I’ll give you credit for the find. (See? I’m not that hard to work with…)

Also, I might be editing/revising this article over the next day or two. If you notice it changing…well, you know why.

Introduction
Facebook is quite the popular web destination these days, at least in the United States. And, as with any other social networking site, they have their ups and downs when it comes to privacy leaks. People report them, Facebook fixes them, and all is right with the world. So, consider this just the next iteration of the cycle.

The Situation
From what I’ve discovered, it’s possible for a new friend to see images that your privacy settings would ordinarily prevent them from seeing, although only as thumbnails. This may not be a concern for some people, but for the security-conscious, it poses a risk if the images contain things that are still identifiable in the thumbnail, such as the people included in and setting of the photo. (In other words, your drunken photo shoot might still be visible to people who can’t see your album as dictated by your privacy settings. This might be a good time for me to point out that you shouldn’t be posting your wild drinking parties to Facebook, anyway, lest you have your diploma changed.)

Discovery (a.k.a. Boring Narrative Section)
For whatever reason, I found it appropriate to reserve a second account with one of my nicknames, though I didn’t do anything with it and left the account public (more or less as a dummy). Over the past week, the account started getting messages (and I started getting e-mails) from people asking why this account would be sitting there without bothering to use any of the features of Facebook or making an effort to add people as friends.

I was curious as to how visible my real account was (and getting tired of these inquiries), so I decided to at least link the blasted dummy account with my real one. In doing so, I decided to mess around with the privacy groups I’ve been maintaining. A few clicks later, I noticed that something was wrong…

The Flaw
This isn’t hard to recreate, either. In a few short steps, you too can be wondering why you can look at your “private” thumbnails. To start, though, you’ll need the following:

A Facebook account with the following:
- Some photos of you tagged (if you’re testing this for yourself, you might as well use your own).
- At least one “group” defined that is denied from viewing photos tagged with your name
A Facebook account that is not friends with your current account (which means you’ll need a second e-mail address if you don’t already have such an account)
Optional: A second web browser
- You’re going to be doing a lot of flipping back and forth between accounts so you can simulate the actions of two users. A second web browser will allow you to avoid having to log out and back in as the other user every step or two.

Now that you’ve got everything you need, let’s put it all in the oven and bake it at 350°F for fifteen minutes.

Note: Some of the links in these steps are to screenshots I took as I went through one of my test runs. If you get lost or you don’t actually want to follow along, the images accompanying this writeup should be enough. However, you’ll need to keep track of the user I’m logged in as (“Nick Tabick” or “Nt TestAccount”) for the full effect; you can tell which user I’m logged in as by looking at the name in the upper-right corner of the page near the search textbox.

As previously mentioned, you’re going to need a second account, so if you don’t have one, you’ll need to register for one, activate it using the e-mail Facebook sends, and make sure that you can log into it. Whatever information you provide for the account is up to you (and you can always get rid of the account afterwards).
Log into the account with the tagged photos, find your dummy account, and request to add it as a friend. Make sure to add the account to a group that lacks photo-viewing rights (though I assume that preventing all friends from viewing said photos will work just as well, I have not tested this).
Naturally, we’re going to need to confirm that request, so now would be a good time to jump back to your dummy account and do so.
With any luck, Facebook will report that you’re now friends…and…oh, wait – you shouldn’t be seeing these.

Aside from this one little thumbnail slip-up, Facebook won’t let you see those “embarrassing photos” (as it shouldn’t). They just seem to forget your privacy settings when the two accounts are just starting off as friends.

Remarks & Conclusion
By now, you’ve probably also noticed that my primary account is hidden from searches unless you and I have mutual friends (and “Nt TestAccount” has no friends, but is publicly visible), thus why I had to request friendship in this way and not the other. I am sure that had “Nt TestAccount” requested the friendship and not “Nick Tabick,” there wouldn’t have been anything interesting to see. While this may not be the case for everyone, it still means that, depending upon who initiates the friend request, that person may have a visual portrayal of their life exposed even if their settings suggest otherwise.

I’m not writing this to say I hate Facebook or that the service is dumb, but more as a warning to keep what you post (to Facebook or anywhere else) in check. You never know who or what could find you or whether your information is truly safe. Assume only the worst-case scenarios. Remember, trust is a weakness.

If you want to get in touch with me to discuss this, feel free to pick a suitable method from the Contact page.

(Flaw found March 30, 2009 and article posted March 31, 2009.)

Recently Tweeted
- @mrmcbastard I'd be very interested in the results, seeing as we appear to suffer(?) from a common issue. 9 hrs ago
- More updates...
Recently Played
- The Church – Under The Milky Way 10 hours ago
- Sisely Treasure – That You Like 10 hours ago
- Modest Mouse – The World at Large 10 hours ago
Tags
AOL blogging cell phones cellular telephone Chicago Comment Block Compaq computing eBay Facebook Google Internet Linux Microsoft MP3 operating system RAM search engine social networking software software developer Twitter United States USD web services

Calendar
February 2012

S M T W T F S

« Jul

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29
Revision History
- July 2011 (1)
- January 2011 (1)
- January 2010 (1)
- October 2009 (2)
- September 2009 (2)
- August 2009 (2)
- July 2009 (3)
- June 2009 (3)
- May 2009 (3)
- April 2009 (2)
- March 2009 (5)
- February 2009 (28)
- January 2009 (3)
- December 2008 (5)
- November 2008 (4)
- October 2008 (3)
- September 2008 (2)
- August 2008 (6)
- July 2008 (3)
- June 2008 (7)
- May 2008 (4)
- April 2008 (4)
- March 2008 (8)
- January 2008 (4)
- December 2007 (4)
- October 2007 (4)
- September 2007 (4)
- August 2007 (5)
- July 2007 (5)
- June 2007 (4)
- May 2007 (1)

Two Slashes

Mug Shot

Recently Tweeted

Recently Played

Tags

Calendar

Revision History

Me Elsewhere

People I Like

Things I Like

Recently Posted

Recent Comments

Archives

February 2012
S	M	T	W	T	F	S
« Jul
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29