the most awesome guy ever.

The Blog of Darryl E. Clarke

  Random musings from a jaded coder who just needs a hug.

Don’t Trust Facebook’s Photo Privacy At All

You constantly hear about things happening to people because of things on facebook.  Mostly pictures and how certain people who probably shouldn’t be able to see them somehow managed to see them.

And it goes sort of like this.  I have a photo album called ‘Pets‘ and this album on Facebook.  This album has the privacy setting “Friends Only” and as you will see if you click the link to the album a few things will happen depending on who you are and whether or not you are logged in to Facebook…

  1. If you are logged in and not my friend it should deny you.
  2. If you are logged in and my friend it should allow you.
  3. If you are not logged in, it should ask you and then decide on #1 or #2.

That’s all good and well.  That’s how I expect things to work. Here’s the problem though:

this is supposedly viewable only by friends.

this is supposedly viewable only by friends.

If you can see that image above, Facebook’s privacy settings for my images are not working.

The issue comes as a result of Facebook using a different domain name for their content distribution network (CDN) to serve up their massive amounts of images.  They use fbcdn.net – and as a user of facebook you are logged into the ‘.facebook.com’ domain.   The CDN is never aware of who is actually viewing the pictures and thus cannot block/allow based on Facebook’s privacy settings.

All it takes is one rogue friend or application on Facebook to expose the direct links to your images and voila, no more privacy.

Tags: , , , , ,

  • It all comes down to this: If you don’t want something to get out to anyone (even just a select few people), DON’T POST IT! PERIOD. Facebook, with all its privacy settings, still can’t protect you from everything… Just a matter of habits, being careful.. that’s all.

    My 2c..

    • Of course, that is totally valid. But I think what I’m trying to expose here is that even when you do set something as private, it’s not. And I think that’s a serious flaw in facebook’s photo sharing system.