• On TechRepublic: Windows 7 report card: Hits and misses
advertisementGet Smart about Business Spending
September 16, 2008 10:34 AM PDT

Peekaboo! Facebook fills photo security hole

by Elinor Mills
  • Font size
  • Print
  • 5 comments

Facebook has filled a hole that allowed strangers to view members' photos through the mobile version of the site, a spokesman said Tuesday after being alerted to the problem by CNET News Monday night.

"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail. "Once we were notified of the issue, it was resolved within hours. These photos are no longer available to unauthorized users. We encourage security researchers examining Facebook to practice responsible disclosure."

Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user. Small photos could also be changed to display in a larger size. The vulnerability only could be exploited with Firefox browsers.

"This week's hole is as good as the March 2008 thing, but easier to do," said Byron Ng, a Vancouver, Canada-based computer technician who notified CNET News of the problem. "And it allows you to target anyone."

CNET News verified the hole before it was fixed and was able to see a private photo of Facebook Founder Mark Zuckerberg, among others.

Facebook had a similar problem with photos being exposed to strangers in March, and has suspended third-party apps that violated the privacy of users who downloaded them. To minimize the risk, the company will soon be launching a program to verify the security of the outside apps.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Privacy & data protection

Tags:

Facebook,

privacy

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Cisco launches iPhone security app
Town to photograph every car that enters and leaves
New Firefox 3.6 beta aims to cut crashes
Facebook adopts new privacy policy
Related
Facebook adopts new privacy policy
Facebook pushes out restructured news feeds
Bank Trojan botnet targets Facebook users
Facebook becomes third most popular video site
Hundreds of Facebook groups hijacked
Facebook woos developers with a road map
Facebook spells out updated privacy policy
Running a contest on Facebook? That'll cost you
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by thabassman September 16, 2008 6:03 PM PDT
yay.
Reply to this comment
by Harrison912 September 17, 2008 10:42 PM PDT
I'm glad FaceBook was able to get it fixed. Since I have a web site dedicated to safety and security products, I'm always pleased to hear that security breaches have been repaired.
Reply to this comment
by khaye0623 September 6, 2009 1:45 PM PDT
cool
Reply to this comment
by Girbaudz September 28, 2009 1:07 PM PDT
this is my experience, unauthorized photos that i can't delete, came into my facebook album with these code:

href="http://www.facebook.com/photo.php?pid=798692&amp;op=1&amp;o=global&amp;view=global&amp;subj=100000369210946&amp;id=1193979963" class="UIPhotoGrid_PhotoLink clearfix"><img src="http://photos-e.ak.fbcdn.net/hphotos-ak-snc1/hs278.snc1/10525_1265035264689_1193979963_798692_3285736_s.jpg" alt="" class="UIPhotoGrid_Image" onload="this.fb_loaded = true;" title="Let&#039;s Enjoy this game and be one of us. http://fordoloop.com/" /></a></td><td class="UIPhotoGrid_TableCell"><a href="http://www.facebook.com/photo.php?pid=798693&amp;op=1&amp;o=global&amp;view=global&amp;subj=100000369210946&amp;id=1193979963" class="UIPhotoGrid_PhotoLink clearfix"><img src="http://photos-f.ak.fbcdn.net/hphotos-ak-snc1/hs278.snc1/10525_1265035704700_1193979963_798693_575171_s.jpg" alt="" class="UIPhotoGrid_Image" onload="this.fb_loaded = true;" title="Let&#039;s Enjoy this game and be one of us. http://fordoloop.com/" /></a></td></tr></table></div></div></div><div class="has_extra has_extra_1"><div class="photos_tab_header clearfix"><div class="photos_header_breadcrumbs_and_caption"><h3 class="photos_header_breadcrumbs">Girbaudz's Albums</h3><span class="caption">1 Photo Album</span></div><div class="photos_header_actions_and_pager clearfix"><div class="photos_header_actions"><a href="/photo_comments.php?id=100000369210946">View Comments</a><span class="pipe">|</span><a href="/privacy/?view=photos">Album Privacy</a></div><div id="photos_by_wrapper_pager"
Reply to this comment
by Girbaudz September 28, 2009 1:09 PM PDT
please help me delete these photos thank you!
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

E-tailers linked to 'scam' blame customers

Priceline, Classmates.com, and Orbitz say customers should read the fine print before complaining about being charged to join loyalty programs they didn't want.

The 411 on early-termination fees

Verizon Wireless has doubled its early-termination fees for smartphones, but what does it mean for the rest of the industry?

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET