RSS Alerts

Share

More services

Related Links

  • Sophos
  • Elsevier Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Facebook security under fire again – this time over leaky IP addresses

10 May 2010

Facebook is under fire from the security industry for the third time this month and this time over an allegation that its notifications are leaking IP addresses.

According to Chester Wisniewski, a senior security adviser with Sophos, an attendee at the Infosecurity Europe show late last month approached him after a presentation and asked if he was aware that Facebook was including people's IP addresses in all of their notification emails.

"I was pretty shocked, and he referred me to some research that had been done by Phil Bramwell", he said, adding that he started looking at some Facebook emails dating from 2008 to see if the issue was occurring then.

Which, says Wisniewski, it was, so he looked at a more recent Facebook message from 2009 and, whilst the IP address was hidden, it was still in the same place in the message header.

"The IP of the requesting individual was encoded in Base64, which is trivial to reverse using a simple Google search", he said in his security blog posting over the weekend.

The data appears to originate, says the Sophos IT researcher, from the Zuckmail email generation platform with the IP address of the initiating party encoded and delivered in the email you receive.

"This includes notifications of being tagged in a photo, private messages, friend requests, even account deletion requests", he explained.

Wisniewski went on to say that, whilst Facebook may need to log interactions with their systems for legal reasons, there is no conceivable reason to send this data out to anyone and everyone.

"Your IP address may indicate your location (even locally, I was able to tell whether people were posting from work, home, or their phone), and could also allow malicious individuals to initiate a denial of service attack against your PC/router/firewall", he noted.

And as with the PleaseRobMe.com site, the Sophos researcher says it would be easy for people to determine from your IP address that you are trapped away from home in a European ash cloud, or that you are lying about your activities and location.

"Using online services and social media for communications carries with it the same risks as sending emails. It is certainly no more private; in fact it most likely is less so", he said.

Following his posting about the issue on Saturday, Wisniewski says that Facebook changed the "Zuckmail" headers to only include localhost (127.0.0.1) Base64 encoded data in current message headers some time on Sunday.

"Some people pointed out that your IP is exposed in other ways on the Internet, while true many people believed Facebook to be safer than email for sensitive communications because it went through a third party. Facebook's change restores some of that anonymity. Thank you Facebook", he said.

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012