Peekaboo! Facebook fills photo security hole
Sunday, 28 September 2008
Facebook has filled a hole that allowed strangers to view members' photos through the mobile version of the site, it was reported CNET News as a spokesman said after being alerted to the problem recently.
"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail.
After notifying the issue, CNET news reported it was resolved within hours. These photos are no longer available to unauthorized users.
We encourage security researchers examining Facebook to practice responsible disclosure," the spokesman said.
Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user. Small photos could also be changed to display in a larger size. The vulnerability only could be exploited with Firefox browsers.
"This week's hole is as good as the March 2008 thing, but easier to do," said Byron Ng, a Vancouver, Canada-based computer technician who notified CNET News of the problem. "And it allows you to target anyone."
CNET News verified the hole before it was fixed and was able to see a private photo of Facebook Founder Mark Zuckerberg, among others.
Facebook had a similar problem with photos being exposed to strangers in March, and has suspended third-party apps that violated the privacy of users who downloaded them. To minimize the risk, the company will soon be launching a program to verify the security of the outside apps.
............
Internet
"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail.
After notifying the issue, CNET news reported it was resolved within hours. These photos are no longer available to unauthorized users.
We encourage security researchers examining Facebook to practice responsible disclosure," the spokesman said.
Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user. Small photos could also be changed to display in a larger size. The vulnerability only could be exploited with Firefox browsers.
"This week's hole is as good as the March 2008 thing, but easier to do," said Byron Ng, a Vancouver, Canada-based computer technician who notified CNET News of the problem. "And it allows you to target anyone."
CNET News verified the hole before it was fixed and was able to see a private photo of Facebook Founder Mark Zuckerberg, among others.
Facebook had a similar problem with photos being exposed to strangers in March, and has suspended third-party apps that violated the privacy of users who downloaded them. To minimize the risk, the company will soon be launching a program to verify the security of the outside apps.
............
Internet