basic facebook privacy breaches 2011
TRANSCRIPT
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 1/6
Hakin9 EXTRA
IntroductionThe Web paradigm is about web pages referring to other pages
to form a network with URL as links and pages as nodes. The
usual benefit of networks is that they deliver a positive netwok
effect, that is, the more pages in the networks the more use-
ful it is. This is an economical concept and is a central theme
in discusions related to services gaining a monopoly (http://
en.wikipedia.org/wiki/Network_effect). Online social network
services has discovered that using people’s profiles as nodesand virtual friendships as links we can disseminate informa-
tion more rapidly. That is the Social paradigm on the Net. In par-
ticular, Facebook (FB) is the most used online social network
and has a business model that involves privacy concerns and
allows various degrees of public or private information. As the
number of FB users aproaches 1 billion around these days eve-
ryone agrees that most of the users cannot keep up with privacy
changes. That means that most of the users do not know if they
information is private or public, and to what degree.
FB privacy concerns are valid because users upload private
photos and videos, publish personal tastes including religious
and political opinions. These leads to cases of legal, job and
academic compromise of many users. Even it has been re-
ported that FB and other social networks are used by federal
investigators to spy on suspects by using fake profiles or directly
requesting cooperation with emergency private data requests
(http://www.huffingtonpost.com/2010/03/16/fbi-uses-fake-face-
book-pr_n_500776.html ).
Besides native privacy issues, as any web page FB has been
a target of cross-site scripting (XSS), SQL code injection, phish-
ing and any attack imaginable for the web vector. Most of the
vulnerabilities are available not directly through FB but through
the FB platform, the environment for developing third-party ap-
plications using FB data and social capabilities (https://develop-
ers.facebook.com/).
In this article we will focus on native privacy and threats of FB
but we will comment brieftly on the FB platform. Launched in
2007 the FB platform opens up the data with applications, ex-
ternal websites and devices. Before that FB grew on their own
closed ground with no interconnectability except for some RSS
feeds. As FB is moving target with privacy changes every year
since 2004, we hope the examples will ilustrate more abstract
concepts that will help you secure your social profile in FB and
actively anticipate future threats. Defying curiosity and building
a constructive paranoia is the main goal.
Facebook privacy settingsAs we mentioned earlier FB helps users upload information that
includes at least for each user a personal profile, a list of friends
or contacts, photo albums and a personal wall with posts. Users
are identified by an USERID identifier:
��
or optionally an unique custom name
�
Not by the complete name because is not unique. Check fa-
vorite search engine for public John Smith profiles
��
��
and find that all complete names are accompanied by an US-
ERID
���
Present photo access is made using an URL such as
���
BASIC FACEBOOKPRIVACY BREACHES
This paper is an introduction to Facebook privacy settings andattacks. We survey historic and present aspects of Facebook privacyand security to introduce the reader into the privacy concepts and
state of the most widely used social network.
JOSE IGNACIO ORLICKI
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 2/6
Basic Facebook Privacy Breaches
Photo URL history will be discussed in another section (Pri-
vacy through obscurity).
Each user has some rights to govern the ability of other users
to interact with their information. Given some flexibility in these
settings the downfall is that most users choose to accept default
privacy setting without modification. So the default configura-
tion is often a topic of discussion between privacy defenders
and socialmongers.
As for 2010 Matt McKeon has compiled an infography of the
evolution of FB default privacy settings (http://mattmckeon.com/
facebook-privacy/). On Figure 1 we can see for example default
profile settings on November 2009. We comment on the privacy
levels but remember that the graphic is only ilustrative, you will
find that default privacy in practice is filled with nooks and cran-
nies depending on obligatory versus optional settings, rollbacks
and retroactive settings:
� -
mation without even being logged in FB.
�
access de information.
� -
er U’s information if it is a friend of some of U’s friends.
�
These levels are also calles Access Control Levels (ACLs) and
are used in FB when users specify which users can access or
operate on their profile or uploaded objects.
Since April 2010 FB has a clear interface for automated inter-
action with third-party applicacions. Part of that effort includes
posts to obtain data in JSON format:
���
A capability is the ability to perform an action (http://en.wikipedia.
org/wiki/Capability-based_security ). FB maybe should enforce
(or give the possibility to enforce) the principle of least privi-
lege (http://en.wikipedia.org/wiki/Principle_of_least_privilege)
that requires that every user must be able to access only the
information and resources that are necessary for its legitimate
purpose. As separating different social concerns is tedious most
users accept default privacy settings that are guided by busi-
ness decisions whose objective is to open up useful information,
suck as people tastes (Likes). Present privacy setting include
the following capabilities, as seen on “Privacy Setting” (https://
www.facebook.com/settings/?tab=privacy):
�
Friends or Custom (FoFs, Only Me, etcetera).
� -
ryone, FoFs or Friends.
�
�
or Friends.
�
�
FoFs, Friends, Only Me or custom lists of contacts.
On “Privacy Setting > How Tags Work”:
�
Facebook): On or Off (Introduced around August 23,
2011! https://blog.facebook.com/blog.php?post=101502
51867797131).
�
On or Off.
�
custom lists of contacts.
�
you: On or Off (face recognition!)
� -
es app: On or Off.
On “Privacy Setting > Apps and Websites”:
� -
tions you are using. Apparently most apps access more in-
formation the require for normal usage.
�
allowing people who sees your data to use it on third-party
applications.
�
about your friends the moment you arrive on select partner
websites: On or Off.
�
As these settings suggest the privacy sourface is pretty big. At
least your should notice that objects (profiles, photos, etc) can
be of two different kinds:
�
(such as 1779461858) are static and once you found an
�
may change. Even in some case historic changes to photo
URLs have proven possible for FB architects.
As static and dynamic objects are combined also emerges the
concept of visible versus non-visible. As you may suspect as
Figure 1. Availability of personal date on Facebook (default settings)
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 3/6
Hakin9 EXTRA
soon as an object becames visible there is turning back, at least
for the privacy hacker finding the information, as he/she can
grab and mirror the information in another site.
�
the entire Internet) the object is visible to the attacker. For
can be found though a common friend.
� object.
Remarkably, unless you use very basic privacy settings or you
have a mathematical demostration, you do not know if an ob-
ject if visible or not.
Publication of FB information historically moved from privacy
open/automated platform for applications.
Privacy through obscurityFB HTML/JavaScript is a highly convoluted salad of ofuscated
vegetables. That is a problem because many exposed privacy
backtracks has led to situations of “security through obscurity”,
mainly during 2009. For example friend lists where made pub-
lic and then after users and lawmakers complaints those lists
where remove from the front-end profile but remain technical
publicly available information (PAI):
‘Now when you uncheck the ‘Show my friends on my profile’
option in the Friends box on your profile, your Friend List won’t
appear on your profile regardless of whether people are viewing
it while logged into Facebook or logged out. This information is
still publicly available, however, and can be accessed by appli-
cations.’ (source: CNET http://news.cnet.com/8301-13577_3-
10413835-36.html)
Trick (at this moment fixed) was accesing directly the AJAX
data dictionary:
���
Another famous breach was related to photo albums (source:
theharmonyguy). As for many years default privacy level for
new albums was Everyone no one cared because in practice
only Friends or FoFs can access those albums (i.e. seen them
included in the HTML) and the chance that other users guess
the ALBUMID seemed remote. But as FB rolled out a less pri-
vate default policy these Everyone-marked albums (including
FB founder personal photos) appeared visible directly to all
the Internet. After public notice and critisism FB rolled back the
change everyone discovered that the difference for the Every-
one-marked albums was only a client-side HTML JavaScript
masquerade. So many JavaScript bookmarklets proliferate
to continue accessing the albums, such as those included on
Listing 1. Even someone discovered that album identificators
at some point during early 2009 were also publicly available
through FQL (see section FQL and OpenGraph) (Listing 1).These tricks were subsequently patched or client-side web
code obfuscated beyond human comprehension. These trick
worked for old, shorter, user ids (ranges from 500090001 to
1777798795 and also ids smaller than 5000 correspond to FB
employees). On newer ids, ranging from 100000000000004 to
present, newest user photos marked for Everyone appear directly
on the user profile. As user identificators are assigned incremen-
-
es to compute what fraction of users are actually active. There is
also the question of guessing or predicting photo ids.
Photo URL PredictionAs we discused in the previous section back and forth modifi-
where accesible by anyone. After researchers versus FB engi-
neers practical debate developed others questioned the robust-
ness of FB photo URLs. A clarifying article was written by Jo-
seph Bonneau (http://www.lightbluetouchpaper.org/2009/02/11/
new-facebook-photo-hacks/ ).
As later as February 2008, privacy controls were enforced
unless you have the user identificator of the target. Not very pri-
vate may sound as ids are available on public search engines.
���
On March 2008, this issue reached mass media and photoURLs were obfuscated and controls really enforced, at least
on the FB web domain. What Joseph Bonneau pointed later in
February 2009 was that photo data itself is served from other
domains than facebook.com (for example bulk data provider
Akamai’s ak.fbcdn.net domain). Apparently fbcdn.net stands
for Facebook Content Delivery Network and opens the door
to a high performance photo server whose performance does
not allow cookies at all. So guessing high-performance URLs
leads to direct photo access. At that time we show you an
URL example :
Listing 1. Hacks
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 4/6
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 5/6
Hakin9 EXTRA
See Figure 2 for a diagram of the FB platform. FB seats in the
middle between the app provider and the user, proccesing code
and serving as a proxy of user data the app requires. Actually
the value of FB apps comes from the use of social network data,
such as lists of friends, for example in social gaming.
Apps are known for security and privacy problems as FB do not
has the abilitity to push good practices on application develop-
ers, specially regarding privacy. According to social networks
security expert Joey Tyson (also known as ‘theharmonyguy’):
[FB] does notify applications when a user uninstalls them, but
it’s up to the developer to actually do something about the data
left behind. (source: theharmonyguy.com)
Many web security problems have plagued the FB platform,
including Cross-site scripting bugs (XSS). This kind of JavaS-
cript code-injection bug allows attackers to collect private user
information accessed by the applications. Alex Sotirov has de-
veloped a novel testing setup (see Figure 3) to find XSS by
closing the proxy loop and testing XSS filters with a set of tools
(http://www.phreedom.org/research/blackbox-reversing-of-xss-
filters/). LeonBlade has reported to FB in May 2011 a XSS and a
worm prototype, as you can see on Listing 3 (watch tutorial on-
line at http://www.youtube.com/watch?v=QcSAU16wjHQ). Theworm injects itself to replicate affecting the friends of the victim.
Notice the request to FBML using the application id.
In the next section we will discuss various basic theats to pri-
vacy related to FQL.
FQL and OpenGraphFacebook own query language, known as FQL, gives any user
access to partial FB data. Since 2009 all FB data has been re-
structured for third-party access on a new platform called Open-
Graph, but FQL remains as one of the ways of requesting Open-
Graph data. OpenGraph core design goal is to help interact withexternal websites, for example IMDb. By default only public FB
data can be accessed.
��
Also you can access user OpenGraph data without FQL.
��
Also FB platform developers can use FQL to access data of ap-
plications users that has given permission by registering to theapplication. For example, in the JavaScript test console (Fig-
Listing 3. Worm prototype using Facebook XSS.
Figure 2. Diagram of FB platform
Figure 3. Diagram of testing setup
Figure 4. JavaScript Test Console
8/3/2019 Basic Facebook Privacy Breaches 2011
http://slidepdf.com/reader/full/basic-facebook-privacy-breaches-2011 6/6
Basic Facebook Privacy Breaches
As observed in a previous section standard web programming
such as JS and PHP will replace the more custom languages
FBML and FBJS, but all data queries can be translated to FBL
queries (https://developers.facebook.com/docs/reference/api/).
If you request your own FB application and get some users
to use it. Then data collected from the users can be queried
for example from Python. Access token key to access public
data can be requested manually from the Graph API Explorer (https://developers.facebook.com/tools/explorer see Figure 5).
Otherwise you can request an Access Token for you application
choosing it in the Graph API Explorer Combo and then select-
ing Get Access Token.
Paul Carduner made a simple library called fbconsole for ac-
cessing present-day OpenGraph (https://github.com/facebook/
fbconsole). After requesting an Access Token and complet-
ing .fb_access_token file you can run scripts such as seen on
Listing 4.
ConclusionAs Facebook privacy settings and interaction with third-party ap-
plications became more open, many issues has emerged. It isup to the users and researchers to continue pointing out obscure
designs details and basic bugs. A trend in the past showed us
-
tures and interaction fronts lead to unexpected new flows of
private information. Present and future privacy breaches are
heading towards mobile (http://m.facebook.com), external web
sites interaction (OpenGraph) and standard JavaScript integra-
tion (custom FBML or FBJS is considered legacy code at this
moment).
JOSÉ IGNACIO ORLICKIGraduate student at ITBA, Buenos Aires, Argentina. He is currently resear-
ching on social network privacy and web mining. Website: http://www.
mechpoet.net Listing 4. Accessing FQL from Python using fbconsole.
Figure 5. Graph API Explorer