Facebook security under fire again – this time over leaky IP addresses

According to Chester Wisniewski, a senior security adviser with Sophos, an attendee at the Infosecurity Europe show late last month approached him after a presentation and asked if he was aware that Facebook was including people's IP addresses in all of their notification emails.

"I was pretty shocked, and he referred me to some research that had been done by Phil Bramwell", he said, adding that he started looking at some Facebook emails dating from 2008 to see if the issue was occurring then.

Which, says Wisniewski, it was, so he looked at a more recent Facebook message from 2009 and, whilst the IP address was hidden, it was still in the same place in the message header.

"The IP of the requesting individual was encoded in Base64, which is trivial to reverse using a simple Google search", he said in his security blog posting over the weekend.

The data appears to originate, says the Sophos IT researcher, from the Zuckmail email generation platform with the IP address of the initiating party encoded and delivered in the email you receive.

"This includes notifications of being tagged in a photo, private messages, friend requests, even account deletion requests", he explained.

Wisniewski went on to say that, whilst Facebook may need to log interactions with their systems for legal reasons, there is no conceivable reason to send this data out to anyone and everyone.

"Your IP address may indicate your location (even locally, I was able to tell whether people were posting from work, home, or their phone), and could also allow malicious individuals to initiate a denial of service attack against your PC/router/firewall", he noted.

And as with the PleaseRobMe.com site, the Sophos researcher says it would be easy for people to determine from your IP address that you are trapped away from home in a European ash cloud, or that you are lying about your activities and location.

"Using online services and social media for communications carries with it the same risks as sending emails. It is certainly no more private; in fact it most likely is less so", he said.

Following his posting about the issue on Saturday, Wisniewski says that Facebook changed the "Zuckmail" headers to only include localhost (127.0.0.1) Base64 encoded data in current message headers some time on Sunday.

"Some people pointed out that your IP is exposed in other ways on the Internet, while true many people believed Facebook to be safer than email for sensitive communications because it went through a third party. Facebook's change restores some of that anonymity. Thank you Facebook", he said.

What’s Hot on Infosecurity Magazine?