Monday, March 16, 2009

Photo privacy on Facebook

'Cause fashion can't replace content
Raein

The exam session is finally over! Spare time is synonymous with violent gigs, devastating parties, and even with a brand new post about the social network we all treat as a brother.

As reported in these blogs, Facebook photos have been considered far from private since the beginning. The reason is clear: Facebook relies on a small number of Content Delivery Networks to host static contents (photos, videos, css, js...), so there's no check for the identity of the client. This means that everyone is able to see a photo, given a direct link to it.

Recently (and silently) something has changed. This is an old set of contiguous photo URLs from the same album:
http://photos-a.ak.fbcdn.net/[...]/1039372716/n1039372716_266356_3811.jpg
http://photos-b.ak.fbcdn.net/[...]/1039372716/n1039372716_266357_4117.jpg
http://photos-c.ak.fbcdn.net/[...]/1039372716/n1039372716_266358_4397.jpg
http://photos-d.ak.fbcdn.net/[...]/1039372716/n1039372716_266359_4698.jpg
http://photos-e.ak.fbcdn.net/[...]/1039372716/n1039372716_266360_4992.jpg
[...]
http://[serverName]/[(pseudo)directories]/[userID]/[size][userID]_[photoID]_[PIN].jpg

And here's a new one:
http://photos-a.ak.fbcdn.net/[...]/2649_1096706251415_1039372716_300200_1526354_n.jpg
http://photos-b.ak.fbcdn.net/[...]/2649_1096706291416_1039372716_300201_1765863_n.jpg
http://photos-c.ak.fbcdn.net/[...]/2649_1096706331417_1039372716_300202_7597791_n.jpg
http://photos-d.ak.fbcdn.net/[...]/2649_1096706371418_1039372716_300203_1393878_n.jpg
http://photos-e.ak.fbcdn.net/[...]/2649_1096706411419_1039372716_300204_4965159_n.jpg
[...]
http://[serverName]/[(pseudo)directories]/[firstID]_[albumID]_[userID]_[photoID]_[PIN]_[size].jpg

Can you spot a couple of differences?
1)the new albumID comes with some weird math, yet simple to be understood (and bypassed);
2)the PIN is now longer and, even worse, it seems to come from a random (or at least unidirectional) function. That can be demonstrated uploading small photos (just 1x1 pixels!) and staring at the relative PINs, with no chance to understand them. Obviously it is still possible to guess some PINs adopting a brute force approach, but too much time is needed to achieve some nice results.

Thumbs up for Facebook? Not yet.
So keep that photo from being replicated on hundreds of servers around the world...

 
(Raein. photo by A bout de Souffle Art)
posted at 14:21
under , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)