Security experts go to war
The wife of an Australian security expert has been targeted by another security expert in a Facebook privacy vulnerability test demonstrated at a security conference in Queensland.
The privacy vulnerability, which can affect all Facebook users if a hacker has enough time, allows for privacy-protected photos to be accessed without being the user's "friend".
In a presentation entitled "For God Your Soul... For Me Your Flesh" at the AusCERT security conference on the Gold Coast, security expert Christian Heinrich demonstrated how he had gained access to the privacy-protected Facebook photos of HackLabs director Chris Gatford's wife.
Facebook has been approached for comment.
The presentation has caused many in the security industry to question whether the example demonstrated was "unethical", especially given that among the security community it's well-known that Heinrich and Gatford do not enjoy each other's company.
Heinrich, who works as an IT security contractor, admitted he did not like Gatford but said that because Gatford presented himself as a security expert, he should be accountable for what is posted online. "I have no ethical qualms about publishing the photos," he said. "They are in the public domain."
Gatford, who is also attending the conference, said he had "no comment" about the incident.
The presentation was given on Sunday at the RACV Royal Pines Resort to a small room of about 20 or so at an event called BSides Australia. Fairfax, publisher of this website, did not attend but was given an hour long presentation by Heinrich shortly after he presented.
Speaking with Fairfax, Heinrich said the point of his talk was to show that not everything you posted to social networks was secure. Even if you had turned on the highest level of privacy settings you weren't safe, he said.
That was because Facebook and many other social networking websites used what is known as a content delivery network (CDN), which usually operates outside of a social network's own servers to deliver content quickly.
"Don't believe that the privacy settings extend all the way through the web application," Heinrich said. He said social networks should tell users that they shouldn't have an expectation of privacy.
Such content delivery networks usually see servers placed all around the globe which have replicated copies of content so that when you go to look at a photo on Facebook, for example, you get it from the computer server closest to you, which requires less time than it would've taken to access it from a server in the United States.
In his presentation shown to audience members, Heinrich demonstrated how he had, over about seven days, extracted the privacy-protected Facebook photos of Gatford's wife via Facebook's CDN. One photo was of Gatford sitting on the floor next to one of his children.
Heinrich blurred out the child's face but left Gatford's in.
Over the seven days or so Heinrich ran a program on his computer to guess the URL of a photo. It needed two inputs in the demonstration given to Fairfax - the friend ID and X. The value X was what Heinrich got the computer to guess, getting it to guess daily from about 0 to 200,000.
It's understood that Heinrich did not seek permission to use Gatford's wife as a subject in his disclosure, which is commonly done when using a test subject in the security industry.
Heinrich had also extracted some of the family's photos from the image sharing website Flickr and demonstrated how he was, up until recently, able to trick young MySpace users into getting them to friend him even without having to put in their email address and name.
MySpace had since fixed that vulnerability, Heinrich said, by removing the option that required people who wanted to friend a young MySpace user to enter an email address and name. Heinrich demonstrated how, when the vulnerability was still active, he was able to bypass entering an email address and name when MySpace required it.
MySpace had implemented the feature a while back to make it easier for young people to identify whether someone knew them or not, Heinrich said. The assumption was that if someone knew your email address and name then it was likely you knew them.
Now you just needed to send a friend request and not enter those details, he said.
The Flickr vulnerability used what is known as the site's application programming interface (API), which can be used by sites other than Flickr to present your photos on them.
US security expert at HP TippingPoint, John Pirc, who once worked for the Central Intelligence Agency (CIA) in cyber security and is also attending the conference on the Gold Coast, said that what Heinrich showed was, in his opinion, "unethical".
"I wouldn't have done it. I think if you're going to demonstrate something like that you should get permission from somebody that would allow you to do that," he said.
Pirc said that what Heinrich showed "was no surprise" to the security industry.
"I give him a lot of credit for doing it in a public forum. I certainly wouldn't have done that. I just don't think people know [that their photos aren't private].
"... You hear about people losing jobs for what they post on Facebook," he said.
He hoped this would be a "wake up call" for people using social networks.
Sydney Morning Herald