Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 24th, 2008

Facebook Album Privacy Exploit

Recent Facebook exploit allows anyone to access Facebook albums that belong to people whom you are not friends with. The only way this works is if one of your friends has been tagged in the album you’re trying to view. Facebook has created a way to prevent this, but it seems their solution is incomplete.

When you’re tagged in an album, Facebook adds the photo(s) to your collection of “Added by Others” photos. When you’re viewing one of these photos of your friend, you can see the album name and creator displayed under the photo. If the creator is your friend, the album name is a link, otherwise you are not supposed to have an access to the rest of the album.

The exploit shows a way to view what else is in that album your friend was tagged in, plus you can see the pictures your friends may have untagged themselves in.

You can do that by going to a friend’s photos page. Open one of the “Added by Others” photos tagged by someone whom you aren’t friends with. Pay attention to the address of the page you are viewing and all of the php variables (evertything after the question mark). “pid=258755″ is the ID of the photo in question. The variable “subj=850305322″ tells Facebook the subject we are particularly looking for in the album. “&id=992303520″ is the member ID of the person who created the album. Ignore the other variables. Remove this variable altogether. If we simply tried to isolate the photo by defining only the “pid” variable, Facebook will return an error page that says you don’t have permission to view the page. For this to work, you have to leave the ID of the album owner on the end:


When you’ve reached this page, you’ll notice that the title of the page has changed from “Photos of Some Name Added by Others” to the name of the creator and album. Now you are in the actual album, instead of the tagged photos of your friend. By using the “previous” and “next” buttons, you will be navigating the rest of the album instead of your friend’s tagged photos.

In order to prevent people who aren’t your friends from accessing your albums, others will lose the ability to view the photos you tagged your friend in.

Facebook is a big wealthy company and if there’s a privacy issue, they can probably figure out a solution. Anyhow, if you’re paranoid about your privacy, you probably shouldn’t be on Facebook to begin with.

Share this item with others:

More on CyberInsecure:
  • Facebook Urges Public Exposure In ‘Privacy’ Revision
  • Facebook Bug Allowed Chats To Be Eavesdropped
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
  • Top-Ranked Facebook Applications Transmit Personal IDs, Personal Information To Ad Firms
  • New Security Warning Feature Added On Facebook

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Facebook Album Privacy Exploit

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.