How to harvest Facebook profiles from emails without logging in (opens in new tab)

(petewarden.typepad.com)

55 pointspskomoroch16y ago13 comments

13 comments

Facebook's approach to images seems broken security-wise all around. You can also get to non-public images if you know the URL of the jpg--- linking to the image page won't work, but a direct link to the JPG will happily serve itself up.

jcapote16y ago

This is notoriously hard problem to solve if you still want a traditional web server serving out static assets (which is the fastest way to do so). The only way I've seen to serve static content in an authenticated fashion is to serve it out of the application itself using the appropriate headers. I'm curious how others have solved this though...

simonw16y ago

nginx has a feature that's perfect for this kind of thing: x-accel-redirect (also available in other web servers):

http://kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rai...

The nginx team added another feature that's even more efficient for this recently (doesn't require a dynamic piece of code execution for each hit) - a module that creates "secure links" for protecting static resources:

http://wiki.nginx.org/NginxHttpSecureLinkModule

(I think this feature would be a lot more useful if you could create links that expire after a certain amount of time).

Amazon S3 has a similar feature, which they call "query string authentication": http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.... - again, you can generate a link to a static resource which is signed with your secret key and will only work for a specific amount of time. Last I saw, that's how Basecamp deals with download links for private files.

1 more reply

_delirium16y ago

It's not foolproof, but I think one common way is for the static-content server to check for an appropriate authentication cookie. In Facebook's case, an additional complication is that they serve lots of the static content off Akamai, so any authentication would have to be coordinated.

2 more replies

tarkin216y ago

I've said it before, but I'd advise people change the email addresses they've attached to facebook. And definitely don't use the email address you give out to employers.

jonknee16y ago

Or just adjust your privacy settings so that only your friends can see anything. I don't show up in search results for example.

maxklein16y ago

That's a pretty clever trick. I heard from some people that after doing the bulk upload thing, if your account in any way promotes a business, it gets shutdown after about a week. Anyone who uploads large contact lists to facebook gets into some type of human review system.

sambeau16y ago

Please don't. :(

j / k navigate · click thread line to collapse

13 comments

_delirium16y ago

jcapote16y ago

simonw16y ago

nginx has a feature that's perfect for this kind of thing: x-accel-redirect (also available in other web servers):

http://kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rai...

http://wiki.nginx.org/NginxHttpSecureLinkModule

(I think this feature would be a lot more useful if you could create links that expire after a certain amount of time).

1 more reply

_delirium16y ago

2 more replies

tarkin216y ago

I've said it before, but I'd advise people change the email addresses they've attached to facebook. And definitely don't use the email address you give out to employers.

jonknee16y ago

Or just adjust your privacy settings so that only your friends can see anything. I don't show up in search results for example.

maxklein16y ago

sambeau16y ago

Please don't. :(

j / k navigate · click thread line to collapse