Facebook Album Privacy Exploit
Recent Facebook exploit allows anyone to access Facebook albums that belong to people whom you are not friends with. The only way this works is if one of your friends has been tagged in the album you’re trying to view. Facebook has created a way to prevent this, but it seems their solution is incomplete.
When you’re tagged in an album, Facebook adds the photo(s) to your collection of “Added by Others” photos. When you’re viewing one of these photos of your friend, you can see the album name and creator displayed under the photo. If the creator is your friend, the album name is a link, otherwise you are not supposed to have an access to the rest of the album.
The exploit shows a way to view what else is in that album your friend was tagged in, plus you can see the pictures your friends may have untagged themselves in.
You can do that by going to a friend’s photos page. Open one of the “Added by Others” photos tagged by someone whom you aren’t friends with. Pay attention to the address of the page you are viewing and all of the php variables (evertything after the question mark). “pid=258755″ is the ID of the photo in question. The variable “subj=850305322″ tells Facebook the subject we are particularly looking for in the album. “&id=992303520″ is the member ID of the person who created the album. Ignore the other variables. Remove this variable altogether. If we simply tried to isolate the photo by defining only the “pid” variable, Facebook will return an error page that says you don’t have permission to view the page. For this to work, you have to leave the ID of the album owner on the end:
http://www.facebook.com/photo.php?
pid=258755&op=2&view=all&subj=850305322&id=992303520
When you’ve reached this page, you’ll notice that the title of the page has changed from “Photos of Some Name Added by Others” to the name of the creator and album. Now you are in the actual album, instead of the tagged photos of your friend. By using the “previous” and “next” buttons, you will be navigating the rest of the album instead of your friend’s tagged photos.
In order to prevent people who aren’t your friends from accessing your albums, others will lose the ability to view the photos you tagged your friend in.
Facebook is a big wealthy company and if there’s a privacy issue, they can probably figure out a solution. Anyhow, if you’re paranoid about your privacy, you probably shouldn’t be on Facebook to begin with.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.