Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Facebook Flaw Exposed Private Photos

Soulskill posted more than 2 years ago | from the somebody's-having-a-bad-day-at-the-office dept.

Facebook 201

Velcroman1 writes "A security hole in Facebook allowed almost anyone to see pictures marked as private, an online forum revealed late Monday. Even pictures supposedly kept hidden from uninvited eyes by Facebook's privacy controls aren't safe, reported one user of a popular bodybuilding forum in a post entitled 'I teach you how to view private Facebook photos.' Facebook appears to have acted quickly to eliminate the end-run around privacy controls, after word of the exploit spread across the Internet. It wasn't long before one online miscreant uploaded private pictures of Facebook founder Mark Zuckerberg himself — evidence that the hack worked, he said."

cancel ×

201 comments

Again? (5, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#38284118)

Facebook privacy violation? *shockface* I'm sure glad I don't use Facebook.

Re:Again? (5, Funny)

NoNonAlphaCharsHere (2201864) | more than 2 years ago | (#38284202)

Who says Slashdot doesn't change with the times? See how the (sometimes twice) daily "New remote execution flaw in Windows" articles have been replaced by "New egregious privacy violation found in Facebook" stories?

Re:Again? (0, Troll)

Anonymous Coward | more than 2 years ago | (#38284214)

I can't wait for it to be "horrifying security hole in Linux" twice a day. That should be a lolfest.

Re:Again? (3, Funny)

Anonymous Coward | more than 2 years ago | (#38284646)

I can't wait for it to be "horrifying security hole in Linux" twice a day. That should be a lolfest.

Any day now, Linux should be crawling with viruses.

Any day now.

Re:Again? (4, Funny)

Anonymous Coward | more than 2 years ago | (#38284720)

Any day now it might be the Year of the Linux Desktop (tm).

Re:Again? (-1)

Anonymous Coward | more than 2 years ago | (#38284908)

Viruses? Maybe not, but idiots? It's already overpressed with them, judging how many Linux hosts are churning out spam and launching attacks against other systems.

Re:Again? (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38284290)

Cloud computing is all the rage these days. All proactive managers are moving their egregious vulnerabilities into the cloud, so it is only fair that tech journalism follow suit...

Re:Again? (0, Troll)

Anonymous Coward | more than 2 years ago | (#38285150)

Every time someone so much as mentions Facebook people like you crawl out of the woodwork to show how much better they are than the 300 million people who use Facebook. Thank you for your meaningful contribution to the conversation.

you can't trust 3rd parties with private info (0, Flamebait)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#38284132)

always roll your own.

facebook's implementation is trivial to build on a scale relative to a single network of users.

Re:you can't trust 3rd parties with private info (1)

Anonymous Coward | more than 2 years ago | (#38284262)

This from the moron who shares his name and address with the entire world.

Re:you can't trust 3rd parties with private info (0, Flamebait)

MichaelKristopeit410 (2018830) | more than 2 years ago | (#38284376)

ur mum's face is the moron.

my name and address have nothing to do with my privacy.

you're an idiot.

why do you cower in my shadow? what are you afraid of?

you're completely pathetic.

Re:you can't trust 3rd parties with private info (0)

Anonymous Coward | more than 2 years ago | (#38284468)

He's a bot with a troll starter post, a no life loser who keeps monitoring replies to make sure they last as long as possible.

Re:you can't trust 3rd parties with private info (1)

Dunbal (464142) | more than 2 years ago | (#38284550)

Having a conversation/discussion != trolling. However only a minority actually understand this concept - the ones on the far right side of the bell curve.

Re:you can't trust 3rd parties with private info (0)

MichaelKristopeit415 (2018852) | more than 2 years ago | (#38284978)

ur mum's face's a both with a troll starter post, a no life loser.

i monitor nothing. automated tools push notifications to me. you're an idiot.

you have contributed and extended the life of something you claim to hold in contempt. you're an ignorant hypocrite.

cower in my shadow some more, feeb.

you're completely pathetic.

Re:you can't trust 3rd parties with private info (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38284342)

Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

It's not my cup of tea; but the notion that one could usefully improve one's security by simply replacing facebook with a personally implemented private network is roughly similar to the notion that one can usefully improve one's security by severing one's LAN from the internet.

Both are true; but not terribly useful for most users.

Re:you can't trust 3rd parties with private info (0)

MichaelKristopeit412 (2018834) | more than 2 years ago | (#38284486)

it only needs to be terribly useful to the admin of the users.

if privacy is required, trusting a 3rd party is not a useful option for any user

you're an idiot.

Re:you can't trust 3rd parties with private info (0)

Anonymous Coward | more than 2 years ago | (#38284518)

karma police, ban this man his blatant troll posts, are making me feel ill he's like a first post goatse.

Re:you can't trust 3rd parties with private info (0)

MichaelKristopeit414 (2018850) | more than 2 years ago | (#38284606)

you're an ignorant hypocrite, tubgirl

ur mum's face is blatant troll.

cower in my shadow some more, feeb.

you're completely pathetic.

Re:you can't trust 3rd parties with private info (0, Offtopic)

migla (1099771) | more than 2 years ago | (#38284626)

karma police, ban this man his blatant troll posts, are making me feel ill he's like a first post goatse.

First they came for Michael Kristopeit, but I didn't speak up since I wasn't Michael Kristopeit. Then they came for Michael Kristopeit 2 and 3 and on and on, until, one day, they came for Michael Kristopeit 412, but I didn't speak up, since I wasn't any of those. Then they came for the muslims and the communists and other uncool people, then they came for me, and there was no one left to speak up for me.

Re:you can't trust 3rd parties with private info (0)

berashith (222128) | more than 2 years ago | (#38284790)

I have also found versions 100, 200, 300, 400 , and I think 500. I was hoping to find a different pattern to the wonderful banter he provides, but no, just the same format over again. I was truly amazed when I was first trolled by this amazing contributor, but then I found I was just being fed a formulaic troll, with only 3 different patterns of attack, and a few variables to spice up the form. I am not even sure if it isnt a test of a script.

Re:you can't trust 3rd parties with private info (1)

MichaelKristopeit415 (2018852) | more than 2 years ago | (#38285020)

if your contributions are vulnerable to a formulaic rebuttal of 3 different patterns, i'm not sure you isn't a test of a moron.

cower in my shadow some more behind your chosen hebraic ontology based pseudonym, feeb.

you're completely pathetic.

Re:you can't trust 3rd parties with private info (1)

masternerdguy (2468142) | more than 2 years ago | (#38285046)

i'm not sure you isn't a test of a moron.

i'm not sure if you isn't a test of a moron either mate.

Re:you can't trust 3rd parties with private info (1)

MichaelKristopeit416 (2018860) | more than 2 years ago | (#38285102)

ur mum's face's a test of a moron guy.

cower in my shadow some more behind your chosen supremacy based pseudonym, feeb.

you're completely pathetic.

Re:you can't trust 3rd parties with private info (1)

berashith (222128) | more than 2 years ago | (#38284808)

no no no ... these are great fun.

Re:you can't trust 3rd parties with private info (0)

Anonymous Coward | more than 2 years ago | (#38285094)

> Inconveniently, tiny networks are dubiously useful

Too bad we don't have, like, the ENTIRE BLOODY INTERNET then. It's pretty big, and I've been using it to communicate with people since the mid 1980's.

Oh, I forgot. Facebook is the only way to communicate with your friends and family online. The internet provides no other mechanism for doing so.

Re:you can't trust 3rd parties with private info (1)

MichaelKristopeit416 (2018860) | more than 2 years ago | (#38285184)

ignorant hypocrisy must not be addressed with sarcasm, as the truly ignorant hypocrite would not see it as such.

facebook does not provide a service... they provide an unnecessary liability; while the moderators of this internet web site chat room message board have decreed that the antithesis of that statement is the highest level of insightfulness.

slashdot = stagnated.

Re:you can't trust 3rd parties with private info (0)

Anonymous Coward | more than 2 years ago | (#38285266)

Inconveniently, tiny networks are dubiously useful for most of the purposes to which people put facebook, network effects and all that.

Smaller "Facebooks" doesn't mean that the different nodes wouldn't be able to exchange information. Look at emails, it's decentralized and it works. There is no reasons social networks couldn't work in a similar way.

I refuse to use Facebook because it's centralized and out of our control. I would gladly use an open alternative where I can open my own servers at home or at work.

Of course (5, Insightful)

Sarten-X (1102295) | more than 2 years ago | (#38284144)

If you upload something to Facebook, assume anyone can see it. Whether it's a genuine hack, somebody figuring out your password, or leaving a computer logged in while you go grab coffee, somebody will at some point have access to everything, so don't upload it in the first place. It's that simple.

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

Re:Of course (-1)

Anonymous Coward | more than 2 years ago | (#38284176)

Who are you to tell people how to use Facebook?

Re:Of course (5, Funny)

forkfail (228161) | more than 2 years ago | (#38284456)

You do understand that these forums are often frequented by folks who have forgotten more about computer security that most folks will learn during the course of their entire lives?

Re:Of course (0)

Anonymous Coward | more than 2 years ago | (#38284666)

That's why he's reminding us. Even the best of us can forget.

Re:Of course (4, Insightful)

peragrin (659227) | more than 2 years ago | (#38284196)

Always assume anything on facebook is visible to everyone always. You no longer have any control, it is never deleted, never removed.

It is why i have never used facebook ever. It isnt worth it. While i do know some has posted pictures of me, those pictures cant truely be linked to me.

Re:Of course (1)

MichaelKristopeit355 (1968164) | more than 2 years ago | (#38284232)

While i do know some has posted pictures of me, those pictures cant truely be linked to me.

if you "truely" believed that, then you could just as well argue that a facebook account couldn't "truely" be linked to you.

you're an ignorant hypocrite.

Re:Of course (0)

Anonymous Coward | more than 2 years ago | (#38284406)

Hey, Mike! Great to see you. Keepin' it real? Would you mind explaining to me how the gp is a hypocrite?

Ps. I'm a great and principled person. I think people should stand up for what they believe in and face the truth head on.

-Yours in hypocrisy,
Anonymous Coward

pps. You're no hypocrite, Mike, I don't want to imply that in any way. You have your rough edges (all of them, perhaps), but I haven't seen you being a hypocrite.

XOXOX

Re:Of course (1, Informative)

MichaelKristopeit413 (2018846) | more than 2 years ago | (#38284580)

believing that a facebook account linked to his name would implicitly link to his identity, while believing that a facebook image linked to a non-account linked to his name would not implicitly link to his identity.

just because you don't have a facebook account doesn't mean that facebook doesn't allow and encourage it's members to divulge your extended personal information while tagging non-account holders in photos.

you're an idiot.

Re:Of course (5, Funny)

geekmux (1040042) | more than 2 years ago | (#38284224)

If you upload something to Facebook, assume anyone can see it...

Ah, you misspelled Internet.

Re:Of course (5, Funny)

Abstrackt (609015) | more than 2 years ago | (#38284534)

If you upload something to Facebook, assume Internet can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

Re:Of course (1)

Kral_Blbec (1201285) | more than 2 years ago | (#38284642)

If you upload something to Internet, assume anyone can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

I think that was the correction he was talking about.

Re:Of course (3, Funny)

PNutts (199112) | more than 2 years ago | (#38284958)

If you upload pr0n to Internet, make sure I can see it...

Ah, you misspelled Internet.

I've taken the liberty of making the correction on your behalf.

I think that was the correction he was talking about.

Sorry, it still wasn't right.

Re:Of course (2)

jellomizer (103300) | more than 2 years ago | (#38284238)

In other words.
Rules for civilized public discourse still apply.

Granted Face Book really needs to fix it privacy and security to be much better. But Facebook is a Social Media site. Meaning information posted is meant to be posted socially.

Re:Of course (5, Funny)

snowgirl (978879) | more than 2 years ago | (#38284256)

That means don't complain profusely about your boss every day, don't send explicit messages to you lover, and certainly don't use Facebook to archive those pictures of that wild bachelor party.

But I hate my boss; he's a total asshole! And my boyfriend loves getting steamy messages (hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) ), and I archive all the bachelor parties that I perform at. I need to have a portfolio after all! How will the next bachelor party find out if they want me vs. that skank across town?

Click here [youtube.com] to visit my private webpage, for my special webpage (Registration, and credit card required)

Re:Of course (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38284332)

(hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;) )

This is the classic problem of how to properly close a parenthetical statement that ends with an emoticon.

Re:Of course (4, Funny)

Anonymous Coward | more than 2 years ago | (#38284412)

The easy fix, in this case, is to use more tongue. ;p

Re:Of course (4, Funny)

Gaygirlie (1657131) | more than 2 years ago | (#38285044)

That's what she said.

Re:Of course (0)

Anonymous Coward | more than 2 years ago | (#38285060)

And, I suspect, Brian would agree in this case.

Re:Of course (2, Funny)

Anonymous Coward | more than 2 years ago | (#38284430)

hey, Brian, I'm not wearing panties today. Surprise for when you get home after work! ;)

I just discovered that I assume that everyone on Slashdot is male, and that guys who wear panties for their boyfriend Brian kind of skeeve me out.

Learn something new every day...

Re:Of course (1)

Sarten-X (1102295) | more than 2 years ago | (#38284480)

Well, of course, if you "perform" professionally at bachelor parties, then perhaps your Facebook page is a marketing tool for your entertainment business. In that case, it should present an image suitable to your profession. If that means insulting your boss to help potential customers identify with you, then so be it.

Re:Of course (1)

migla (1099771) | more than 2 years ago | (#38284520)

You're very talented! I haven't seen such classic moves in a while. Cool voice, too.

Re:Of course (1)

interval1066 (668936) | more than 2 years ago | (#38284528)

Can I get your number?

Re:Of course (2)

Baloroth (2370816) | more than 2 years ago | (#38284614)

I can probably guess it: 772-257-4501

Re:Of course (1)

ToiletBomber (2269914) | more than 2 years ago | (#38284922)

Click here to visit my private webpage, for my special webpage (Registration, and credit card required)

You linked to the VEVO version? You, sir, are an idiot.

Re:Of course (0)

Anonymous Coward | more than 2 years ago | (#38285112)

Snowgirl, I think I love you!

Re:Of course (1)

twdorris (29395) | more than 2 years ago | (#38285256)

I'll second that. Assuming she's a she.

Re:Of course (2)

Archangel Michael (180766) | more than 2 years ago | (#38284438)

If you upload something to Facebook, assume anyone WILL see it.

FTFY

Assume the worst. If you want something private, don't tell ANYONE.

Re:Of course (2)

izomiac (815208) | more than 2 years ago | (#38284522)

If you upload something to Facebook, assume anyone can see it.

Personally, I assume that Mark Zuckerberg can see it, if he so chooses, and I trust him less than my least trustworthy friend.

Re:Of course (3, Interesting)

betterunixthanunix (980855) | more than 2 years ago | (#38284694)

If you upload something to Facebook, assume anyone can see it

I used to think this, but there are some pretty convincing arguments in The Net Delusion that have caused me to rethink that position. There are a lot of Facebook users, and dissident groups cannot avoid using Facebook to reach people, simply because of the large number of people on Facebook. If Facebook does not take privacy seriously, the risk to dissidents who try to contact their fellow citizens on Facebook will grow.

The point here is that yes, it is a problem when Facebook unexpectedly opens its users' data to the world against their wishes. There are legitimate reasons why someone might use Facebook but want to keep their account data private.

Re:Of course (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38285076)

Newsflash: any dissidents attempting to use Facebook are being plain stupid. That's like sending an email containing your entire list of friends and family to every government in the world, but with way more detail about what you do and where you are.

You do realize that Facebook privacy terms only apply to other users who use Facebook for free, and follow the terms of service, right? Facebook hackers, bots, and government agencies (and likely some large corporations) have full access to Facebook data. So does Facebook. Not only is your "private" Facebook data fair game, so is the "hidden" Facebook data, such as your access log, answers to security questions, access patterns (when you did what), etc.

Re:Of course (2)

Jim Hall (2985) | more than 2 years ago | (#38285270)

If you upload something to Facebook, assume anyone can see it.

In general, this is true of anything you post on the Internet. I look at it this way: try to avoid posting things on Facebook, Twitter, Google+, Slashdot, Flickr, or any other site, that you might be embarrassed for a family member to see, or a future potential employer. If it's on the Internet, assume anyone can see it.

My immediate personal response to this Facebook flaw: ohmigosh! Then I remembered that my photos are pretty much my cats, work we've done on the house, flowers, speakers at events, and similar stuff. I may have them marked "private" but not that big a deal if this flaw exposed them.

I recognize that I am a minority of Facebook users, however.

Interesting (3, Interesting)

koan (80826) | more than 2 years ago | (#38284154)

I wonder what constitutes a "private photo" for Zuckerberg, my guess is he has no photos that would be even remotely interesting since he knows the ins and outs of FB, and why does spell check want to turn "zuckerberg" into "rubbernecker"?

It's all related somehow...

Not surprising (0)

Anonymous Coward | more than 2 years ago | (#38284172)

Considering hard links to your photos work for anyone on the internet, this isn't a surprise in the least. I wouldn't call it a hack at all.

Surprised this is real. (4, Interesting)

Ecuador (740021) | more than 2 years ago | (#38284188)

I saw a link to the forum discussing this somewhere. From the description of the "hack", I was certain this is a hoax. You see, the idea is that the hack is to report the user with private pictures to facebook as having "nude/pornographic" images, and in the image flagging process it shows you private-only pics as well.
So it really sounded like a hoax to me to have people go around reporting private profiles of hot girls (or even boys I guess), and I am surprised it is a real security flaw. Not that you can call something on facebook a security flaw, since that would require security in the first place, right?

Re:Surprised this is real. (4, Interesting)

interval1066 (668936) | more than 2 years ago | (#38284540)

This flaw has been exploited for months by the likes of 4chan.org/b/, and others. I'm surprised it took this long to get out.

Re:Surprised this is real. (0)

Anonymous Coward | more than 2 years ago | (#38284712)

Those who abused it wanted it somewhat hush hush lest the developers catch wind and remove it.

Re:Surprised this is real. (2)

jd (1658) | more than 2 years ago | (#38284718)

It didn't. It took that long for the "popular bodybuilding forum" to archive those pictures guaranteed to improve its popularity.

Definitely real (2, Informative)

Anonymous Coward | more than 2 years ago | (#38284750)

I decided it was real when I saw someone post Zuck's photos [imgur.com] .

Re:Definitely real (2)

Bill Dimm (463823) | more than 2 years ago | (#38284914)

If ever I thought there was a link that would go to goatse, that was it. But, no, the photos are of Zuckerberg fully clothed. Not mounting a goat or anything along those lines.

OMG OMG OMG (0)

Anonymous Coward | more than 2 years ago | (#38284194)

I posted something private and it was public???? SOMEBODY PASS A LAW IMMEDIATELY! /end sarcasm

Private pictures? (5, Interesting)

gmuslera (3436) | more than 2 years ago | (#38284208)

Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?

Re:Private pictures? (4, Funny)

blair1q (305137) | more than 2 years ago | (#38284272)

Then I'm guilty of not wanting people to be jealous of my naked body.

Re:Private pictures? (-1)

Anonymous Coward | more than 2 years ago | (#38284296)

I'm guilty of not wanting people to be jealous of my shaved pubes.

Re:Private pictures? (0)

Anonymous Coward | more than 2 years ago | (#38284328)

Wasnt Zuckerberg himself who said some years ago that whoever wants to have privacy is guilty of something?

Sounds reasonable. I doubt that there's anyone who isn't guilty of something. And if there is then they probably wouldn't want to admit it.

Re:Private pictures? (3, Informative)

hellkyng (1920978) | more than 2 years ago | (#38284350)

"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," Eric Schmidt

Not quite... but close.

Re:Private pictures? (1)

hellkyng (1920978) | more than 2 years ago | (#38284360)

BTW if you want to google that you might be surprised at how hard that is to find, try this "google ceo privacy quote"

Re:Private pictures? (1)

forkfail (228161) | more than 2 years ago | (#38284500)

There are two kinds of people in the world.

Those who dark secrets tend to be they type that might be revealed over the internet, and those whose aren't.

Re:Private pictures? (1)

sociocapitalist (2471722) | more than 2 years ago | (#38285078)

No that was the US government...

thank you mark. (5, Funny)

Anonymous Coward | more than 2 years ago | (#38284222)

A squirrel dying in front of your house may be more relevant to your interests right now than people dying in Africa. -Mark Zuckerberg

No Mark,
The private pics of the girl I crush on, yes, those are more relevant to my interests than people dying in Africa. Thank you for giving me occasional glimpses of hope with your privacy blunders.
Yours Sincerely,
Creep.

Omg! (1, Insightful)

Anonymous Coward | more than 2 years ago | (#38284252)

A "bodybuilding" forum is reporting one of the biggest Facebook flaw I ever heard of? Or in other word, the biggest anti-geek place is reporting a really geek thing??

What's the world coming to??

Miscreant? (1)

stevegee58 (1179505) | more than 2 years ago | (#38284254)

Them's fightin' words.

Re:Miscreant? (1, Flamebait)

forkfail (228161) | more than 2 years ago | (#38284536)

Fox News calling someone a "miscreant" is like Idi Amin calling someone "a big meanie".

A bug? In software? OH MY! (5, Insightful)

bennomatic (691188) | more than 2 years ago | (#38284320)

Mistakes happen. Things get through QA. When a bug occurs, if it's in a flight control system, you might crash. If it's in a backup system, you might lose data. If it's in a social network, you might block users you didn't mean to, or you might open your data to unwanted eyes.

Unless we're going to start regulating social networks like we do products for some other industries, then, well, there's a reasonable likelihood of this sort of thing happening on a regular basis. If you don't like it, don't share stuff on Facebook.

Re:A bug? In software? OH MY! (1)

Baloroth (2370816) | more than 2 years ago | (#38284640)

don't share stuff on Facebook.

No real comment, I just thought this deserves repeating.

Re:A bug? In software? OH MY! (1)

Dishevel (1105119) | more than 2 years ago | (#38284684)

I do not remember reports of a Facebook bug that accidentally blocked people you wanted to share with.
Seems to always be accidentally the other way round.
Hmmm.

Re:A bug? In software? OH MY! (1)

jd (1658) | more than 2 years ago | (#38284864)

Regulating social network software might actually be a good idea. Not as in restricting content, but as in requiring certain standards to be met. Like it or not, we live in a connected world where information is shared, collated and mined. Errors in that data are next to impossible to correct because they spread faster than you can correct them. In the absence of data privacy laws, it is essential that the calibre of software be such that inappropriate access is kept to an absolute minimum.

Having said that, I would argue that this should be coupled with improvements to the way certification programs work. Most of them are too expensive for projects that actually do exist in regulated markets, but obviously you can't make them too cheap because the effort and expense of certification would leave those involved in such efforts open to a social denial-of-service attack.

If social network software had to pass a certification program, the standards required aught to be clearly laid out, the methodologies clearly defined and the certification program stringent enough to be useful but also affordable enough (how doesn't matter) that even a college kid could get one release fully reviewed before going live.

too late (0)

Anonymous Coward | more than 2 years ago | (#38284372)

i barely ever post ac

this worked great. i made a burn account this morning, logged in from my server in another country using x forwarding and a chrome session, and got some *very* excellent photos of an old high school crush. a mormon girl in a bright red skimpy bikini. i have filled the fap data bank from high school back up for a few months, to say nothing of the photoshopping that is to be of her face.

it was exhilarating to gain access to her account. i tried it on other girls i have crushed on too, and although none of them had the same results, today was a day i will look back on fondly, with my pirate hat fanning my perspired face and all my new digital booty.

thanks facebook for giving me something i should never, ever have had. her private bikini photos were just for her boyfriend, but your crappy api let me be a fly on that wall for mere hours of undisputed glee.

This is old news to me (1)

Anonymous Coward | more than 2 years ago | (#38284416)

This flaw in Facebook has been known to the internet since 2009.

I remember there was this one image floating around on 4chan for a while showing people how the flaw worked. All it consisted of was some messing around with the URL, and you could see any person's private images, whether they were on your friend's list or not.

more QA, less agile? (1)

Sadsfae (242195) | more than 2 years ago | (#38284450)

I can't help to think this is why more emphasis on QA and staging changes appropriately and testing thoroughly and less focus on agile, devops type methodology would have helped. It's a well known fact that Facebook developers work on live production data.

Re:more QA, less agile? (0)

Anonymous Coward | more than 2 years ago | (#38284560)

"agile devops". combining buzzword to create even less meaning!

Re:more QA, less agile? (1)

Caerdwyn (829058) | more than 2 years ago | (#38285202)

All the QA in the world won't help if the findings of the QA engineers do not result in defects being acknowledged or fixed. QA in those cases is not a testing group; it's a rubber stamp for which the question "do we ship it" is required to be "yes". This arises either because QA reports to a development manager (i.e. someone whose performance review is based what is released how close to schedule under budget, therefore someone who simultaneously has the motivation and the power to ignore QA findings), or because it exists only because the company's executives require that they be able to tell customers that they have a QA department (regardless of its effectiveness or lack thereof). Either situation means that there is little incentive to invest in more QA engineers, to listen to those engineers, or for QA to expend any effort above minimum. Why try if it doesn't matter?

Even if QA's findings are acknowledged, if the release schedule is cast in stone then those findings are not acted upon (I'm looking at YOU, Bethesda). "Patch in production" is considered acceptable, so there is little urgency to act upon QA's findings for anything less serious than "causes cancer in rats, children, lawyers and other vermin". Again, does quality matter?

The reason this situation exists is because lack of quality so often is irrelevant. If a customer complains but buys anyway, the complaint is guaranteed to be ignored. Using the aforementioned Bethesda as an example: Bethesda's reputation for releasing bug-ridden unstable games that would be fantastic if it wasn't for the hourly crashes (Oblivion, Fallout 3, Fallout Vegas, Skyrim) is irrelevant in the face of their huge sales figures. Quality, in fact, does NOT matter; people buy anyway. They bitch, but they buy. Which do you think speaks more loudly to the product managers and execs: bitching or buying?

Everybody gets what the majority deserves.

link? (1)

rabidmuskrat (1070962) | more than 2 years ago | (#38284492)

Is the archive of Zuckerberg's pictures still up somewhere? Every link I have been sent has been devoid of images.

Re:link? (0)

Anonymous Coward | more than 2 years ago | (#38284530)

http://imgur.com/a/PrLrB

Thank me later.

As Vader said ..... (0)

Anonymous Coward | more than 2 years ago | (#38284726)

As Vader said:

Now, I have you in my sights " ..... Zuckerburg.
Get back to your washed out facebook and buy me a bus.

Did You Really Authorize All Those FB Apps? (4, Informative)

MichaelCrawford (610140) | more than 2 years ago | (#38284736)

The other day I finally got around to configuring those privacy settings that everyone has been so on about. Facebook sure doesn't make them easy to find.

I was shocked to find that my account granted access to about three dozen apps that I never even heard of. There were only two or three that I signed up for with my own conscious knowledge. I don't have the first clue how I got signed up for all the rest.

That just pissed me off. As I was no longer actually using the two or three apps that I did voluntarily use, I deleted all three dozen from my account.

You may be completely unaware that a whole bunch of private companies that are not affiliated with Facebook have access to your personal data. Even if you want to use a particular Facebook app, you should configure that particular app's privacy settings to grant it access only to the data you voluntarily want it to have. If you are no longer using an app, or don't recall ever requesting the use of it, you should delete it from your account completely.

Here's what you do:

Log in to your Facebook account. (Heh, when I did that just now, I found my account locked. It turned out to be because I had deleted my cookies, not because Facebook caught me spreading the word about how to dump what Facebook considers to be its real customers!)

At the top-right is your username, "Friends", "Home" and a small triangle. Click on the small triangle then select "Privacy Settings".

Click on "Edit Settings" to the right of "Apps and Websites". You may need to scroll down a little bit.

Click on "Edit Settings" to the right of "Apps You Use".

I no longer use any apps so I can't continue from here, but at this point it should be pretty clear what to do.

Some apps really will require access to your details so they can function. If so, be certain that you really want to continue using those apps. Give them the minimum level of access that you really want them to have. Delete all the rest.

Re:Did You Really Authorize All Those FB Apps? (0)

Dan667 (564390) | more than 2 years ago | (#38285138)

mine is easier, only one step. Don't use facebook.

What kind of photos? (1)

cvtan (752695) | more than 2 years ago | (#38284760)

Now if there were porn photos of Mark Z. Ewwww!

Surprisingly weak architecture (5, Insightful)

matthaak (707485) | more than 2 years ago | (#38284788)

I think this story is revealing about Facebook's security architecture. One would have hoped that security policies are defined within the application at a very low level and that all requests for information -- be it photos, posts, whatever -- must pass through that low-level security layer. What this story reveals is that the security architecture of Facebook is such that each developer of each separate function (in this case, the report-a-nude-photo function) is responsible for re-implementing security checks.

The pictures (5, Interesting)

slasho81 (455509) | more than 2 years ago | (#38284868)

The pictures. [imgur.com]

Re:The pictures (1)

Sez Zero (586611) | more than 2 years ago | (#38285004)

He's not wearing a seatbelt; quick, someone raise his insurance rates!

Regardless of THIS flaw (5, Informative)

dmomo (256005) | more than 2 years ago | (#38284874)

Please know that on Facebook, whatever your privacy settings are, your photos are only secured by the obscurity of the URL. The Facebook servers that serve static content do so efficiently by doing nothing else. No cookies, no session management, etc. If you happen to know the url of an image (not the facebook url that wraps the image but the actual resource url) you can view it from anywhere whether or not you are logged in.

Re:Regardless of THIS flaw (5, Informative)

Anonymous Coward | more than 2 years ago | (#38285096)

In addition to that if you have the static URL to the photo it persists after the photo has been deleted as well. I tested this by loading a URL after a photo had been deleted from the profile and voila! Its still there.

So creeps, grab those URLs from your cache while you can.

Re:Regardless of THIS flaw (4, Informative)

dmomo (256005) | more than 2 years ago | (#38285216)

Yeah. And if for some reason, you share it to someone.. and they post it anywhere, and google pics up the url, forget it:
https://www.google.com/search?q=a3.sphotos.ak.fbcdn.net/hphotos-ak-snc7&oe=utf-8um=1&ie=UTF-8&hl=en&tbm=isch&source=og&sa=N&tab=wi [google.com]

You can also run a search for partial image names through the google image search api [google.com] using facebook known static content servers.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...