Why private Facebook photos aren’t so private


Facebook photos with access controls on them will not keep a photo truly private, IT PRO has learned.

By simply right clicking and selecting copy image location' on a photo, anyone can then paste the URL to share it with unauthorised users, even those not on Facebook.

"If Tom decides to share a photo with Betty and only Betty, Betty can in fact share that photo wherever she pleases without Tom knowing by simply right clicking on the photo and copying the address or image location," an anonymous source explained to IT PRO.

We tested the theory on Facebook and found the source's claims to be true.

The source suggested the findings indicated Facebook image serversare not encrypted.

The source also hypothesised a hacker with untoward intent could upload a variety of photos to their own account, examine the URLs and work out the server and file naming systems.

A hacker could then develop a script to generate various combinations, search for files, download and spreadthem, the source suggested.

"On Facebook we have numerous protections to prevent guessing of attacks on photos. For example, each photo includes a random secret key that has millions of permutations," a Facebook spokesperson told IT PRO.

"We of course do not disclose all of our protections to protect their integrity."

The spokesperson noted users can copy and paste any photos they have access to from any website and send it to whomever they want.

"This is exactly the same action as copying and pasting the content delivery network URL, which functions the same way on many major websites including Flickr, TwitPic and Picassa," the spokesperson added.

"While this practice is standard across many sites, we are always working on ways to improve the user experience and actively working on building additional protections."

Graham Cluley, senior technology consultant at Sophos and regular commentator on Facebook, said it was "pretty bad form" from the social network to have photos viewable by people without permission.

"The fact that you can see private' photos when you're not even logged in to Facebook suggests that they simply haven't grasped what privacy is all about," Cluley told IT PRO.

"Only Facebook users who are logged in and authorised to view specific photos should be able to see the photos."

The issue is a potentially serious problem for Facebook, which has come under fire for its handling of privacy in the past.

Just this week, Facebook seemingly carried out a u-turn on a feature that would let app developers access users' mobile phone numbers and addresses.

The social networking giant said it was going to update the feature to ensure users only share their data when they intend to do so.

Last year, Facebook updated its privacy settings after it was heavily criticised by various groups.

During the summer of 2010, Privacy International went so far as to send an open letter to Facebook calling for the social network to make significant changes.

One call the group made was for Facebook to provide users with control over every piece of information they can share, including photos.

It seems users do not have total control over how their images can be used just yet.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.