Friday, November 6, 2009

Are my facebook photos really private?

I wanted to show a facebook friend's photograph to another facebook friend. I sent him the link in the browser. But he got an error "No Content Found". This is a general facebook message when someone tries to access a resource which does not exists or you don't have the permissions to view the resource. In this case the content was there, but permissions were missing.

I right clicked on the photo(browser : firefox) and copied the image location. And pasted it to my friend. And voila, he could access it. Now that is scary. Even your photographs with the highest privacy levels are on some facebook caching server somewhere on the Internet. The only thing you don't know is the address. I could access the cached copy without any authentication.

My next question : Can a crawler(automated web program) find these photographs?

Well, this is what I tried. Following is the image link of a photograph which has the highest privacy level ('Only Me') and you can see this photograph too.

http://photos-g.ak.fbcdn.net/hphotos-ak-snc3/hs005.snc3/11269_100176256674713_100000470162575_1960_2224458_n.jpg

Let us break this up.
  • http://photos-g.ak.fbcdn.net/ --> domain owned by facebook
  • hphotos-ak-snc3/hs005.snc3 --> seems to be their caching directories (keeps on changing for different cached photos.)
  • 11269_100176256674713_100000470162575_1960_2224458_n.jpg --> your photograph, obviously renamed but we can break it down too.
  • Of these,
    100000470162575 --> is your profile Id.
    1960 --> is your photo id.
    n --> type of photograph (other values could be 'a' or 's'or 't' where s could stand for 'small' and t for 'thumbnail', n for 'normal')

    But for the other 3 params (11269, 100176256674713, 2224458) I am still figuring out (look at the facebook API might help).
If the crawler tries generating these params (using the same logic as Facebook or some derived intelligent alogrithm other than Brute Force). Any such attempt will definitely make Facebook aware.

It is only a matter of time for some outsider to understand this logic.

So back to the question : Are my facebook photos really private?

Yes they are, as long as no one knows where they are. The analogy for this is, Imagine the Internet as the world where all places are indentified by a unique address. As long as your home address is unknown to intruder, the intruder cannot harm you. But if the address becomes known, there is not a single lock at your home to protect your assets.

P.S. : These are my personal views and conclusions and may/may not be accurate/correct.

1 comment:

Anil said...

A superb article giving an insight to exposing that facebooks privacy features may not be up to the mark.