Facebook Album Security Flaw
It’s exam week at law school, so in between marathon sessions I would poke around on facebook. I think I’ve discovered a significant flaw in how facebook treats photo albums. Basically, in a backwards way it allows you to access photo albums of people you aren’t friends with! Considering Facebook has been implementing new security protocols recently, I figured this would get fixed, but it has not. So, I post this in hopes to get Facebook’s attention in order to have them fix the flaw. Until then, you can potentially see photos albums of people you aren’t friends with! (and strangers can flip through yours!) Let the stalking begin.
So, first pick a friend. I picked one who has a pretty public online persona, so I don’t think she would mind me using her as an example – but still I’ve blurred most of her name. Well call her “J”. (You can click these photos to get larger verisons)
This is her profile page. Under J’s profile picture is a link to see “Photo’s of J”. If we click that we get:
This is a photo album showing all the pictures where “J” is tagged on Facebook. These include not just pictures that J has uploaded, but pictures her friends have uploaded where they have tagged her. That first picture is one of those photos. User “B” uploaded a photo to her Facebook photo albums and tagged “J”. So, it shows up in “Pictures of J”. Keep in mind, I am NOT friends with user B. Let’s click that photo.
After clicking, we see the photo. So, this is not a photo J uploaded, its a picture B uploaded and tagged J in. You can see it is from the album “AMAs 2009″ by B. Now, here is the kicker – click the name of the album and….
I just got through to B’s entire album! I can click on any of these pictures and look through them all. Again, I am NOT friends with user B, but I can see all of her photos in this album! There seems to be an issue where because I am friends with J, and she is tagged in this album, Facebook allows me to see this entire album.
You can see why this is problematic. Let’s say your friend has a photo album simply called “college”. In it she has all the photos of her 4 years in school. She has innocent pictures of you on move in day and graduation that are tagged. Fine. She also has pictures in the same album of you wasted making out with some random frat dude. You probably de-tagged those to prevent people from seeing you in those pictures. If you are friends with a parent, and they click on the graduation photo, then click through to the album, they will be able to see the de-tagged embarrassing photo!
On another issue, lets say you are not friends with that creepy guy because he well… creeps you out. But, one of your friends became friends with him on facebook, because well – she friends everyone. Now, all he has to do is find a picture you uploaded and tagged your friend. He then clicks through to the album and sees your entire photo album!
Facebook, if you come across this page – please fix this issue. It is a serious problem with how you treat photos!
Posted on December 12, 2009, in Internet, Society, Technology. Bookmark the permalink. 1 Comment.
Wow… yes, i tried it, and it does DOES that!
And there’s also another one: when someone “Likes” your photo — it will show up on your friend’s (let’s call your friend ‘A’) wall that he/she “Likes” your photo; and when A’s friend (who’s not your friend, let’s call this person ‘B’) clicks on that photo link, person B can see your photo and the whole album just by clicking on the album name.