Wednesday 7 December 2011

There's nothing like good privacy, and this is ...

A colleague of mine notified me via Google+ of the news that Mark Zuckerberg's photos on Facebook had been hacked, supposedly by a security glitch that has now been closed. My colleague's comment on this was that he has "never seen a photo on the site, public or otherwise, where you can't just share out/reference the underlying photo's URL if you want to" and ended by asking "am I really the only one who's noticed this?" I have noticed this but, I must confess, only after being informed about it by the aforementioned colleague. If anyone doubts this statement about the free access to Facebook pictures then they can have a look at this picture which I have uploaded to Facebook but have set to be only visible by me. For added amusement, you will find that you can view it without even being logged into Facebook and, with any luck, it may now start appearing in searches with appropriate search terms.

Facebook are here employing a technique known 'security through obscurity'. The fundamental principal of this is that the name of the image, 388043_10150400636492271_81771217_n.jpg, is so complicated that no one could possibly stumble upon it by accident. The problem with 'security through obscurity' is that it merely gives an illusion of security as it will stop someone accessing something by accident but will not deter anyone with real malicious intent. You could liken it to leaving the front door key of your house under the doormat; the postman who happens to push against the front door is not going to get in but it will not stop the real burglar. Six years ago ZDNet published the six dumbest ways to secure a wireless LAN and three of them are examples of 'security through obscurity'.

However, is there really a problem with the photographs on Facebook? What are the chances of someone stumbling across the correct 5 very large numbers followed by the correct letter to view my image? Admittedly that is not very likely but just as I have revealed to the world the URL of an image in my Facebook account that only I should be able to view, I can do the same with any picture that has been shared with me even if the owner of that picture has set restrictive access. Likewise, I could do the same with any picture visible by an account I happen to have hijacked. Happily, Firesheep is not a problem if you are using SSL but who is to say there isn't another exploit out there that is not yet publicly known?

How hard is it really to make images private? Not really too difficult, as can be illustrated by this picture at Dropbox. I am not arguing that Dropbox are a paragon of virtue (although over that weekend in June the problem was fixed quickly and no one was apparently compromised) but if you click on that link you will, I hope, get a 403 error indicating that access is forbidden. It would not be beyond the realms of possibility for Facebook to implement a similar system but I suspect that the real reason is that they want people to be able to link to their images like this:

without getting this:

The first image being my top secret Facebook picture while the broken image is in place of my Dropbox file.

I think that the conclusion is clear; do not put pictures, or any other other material for that matter, on any social media site unless you are perfectly happy for it one day to find its way into the public domain.

Update

I have just found that Google+ is the same as Facebook in this respect and here is a similar image to the one above. Google+ uses Picasa for managing users' pictures and it would appear that this has been known for some time.

Update 2 - 27/12/12

I have noticed that the link to my picture on Facebook has changed from "https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/388043_10150400636492271_508542270_8590570_81771217_n.jpg" to "https://fbcdn-sphotos-a-a.akamaihd.net/hphotos-ak-ash4/388043_10150400636492271_81771217_n.jpg". I am not entirely sure whether this is due to an internal reshuffling of the data or maybe the links have always been time limited, which I supposed provides a small degree of extra security. It doesn't take a lot, however, to see how the new link is created from the old. I have fixed the image for the time being.

No comments:

Post a Comment