A public demonstration of a weakness in Facebook’s account security has attracted the attention of law enforcement in Australia and raised questions about the ability of social networks to protect user data.
Security researcher Christian Heinrich conducted a brute force attack against the Facebook account of the wife of a fellow researcher, retrieving private photos from the account and displaying them for an audience of 20 or so security experts at the BSides Australia conference in Queensland, Australia. The demonstration attracted the interest of local media and the police, who are investigating the hack for possible violations of Australia’s computer misuse act, and who detained a journalist who had posted one of the stolen photos in his account of the presentation. But the larger story may be that the hole that allowed Heinrich to access the photos was in a common component of most large social networks: content distribution networks (CDNs) that allow companies to station high bandwidth data closer to their users.
The presentation, which took place Sunday, was titled “For God Your Soul… For Me Your Flesh.” In it, Heinrich demonstrated a range of security holes in common social networking and Web based applications, including Flickr, the photo sharing site, and MySpace.com. In demonstrating the vulnerability of Facebook, Heinrich demonstrated how a technically sophisticated individual could access privacy protected Facebook photos belonging to the wife of Chris Gatford, a fellow security researcher and director of HackLabs, according to a report in The Age. Among the photos posted was one of Gatford’s wife and child.
Heinrich told attendees that he was able to extract the photos from Facebook caches of user content over a number of hours using just the wife’s Facebook friend ID number and a randomly generated number used to name the photo. Heinrich did not need to authenticate first before retrieving the files, nor did he need to be a friend of the wife to obtain her photos.
The demonstration clearly crossed ethical boundaries in compromising the personal account of Gatford’s wife without her prior permission. It also raised legal questions. Queensland Police, responding to a complaint about the hack, ended up arresting a reporter for the Sidney Morning Herald, Ben Grubb, who had interviewed Heinrich following his presentation. The police seized his iPad, which they said may contain recorded evidence of the commission of the offense. It was unclear, yesterday, whether Queensland police were speaking with Heinrich. Officials are declining to discuss what they consider an active investigation.
Dramatics aside, the presentation was treading on well worn turf: the loose controls that popular social networking and content sharing Web sites put around their users’ data. To manage its explosive growth and the petabytes of new content that its hundreds of millions of users create each day, Facebook relies on a combination of its own servers and leased CDNs – or content distribution networks that cache content close to users so that it can be delivered as quickly and efficiently as possible. In 2009, the company also launched Haystack, an internally developed photo storage and delivery platform that allows the company to use commodity hardware and that was designed to save Facebook the expense of having to rely as heavily on external CDN partners like Akamai or NetApp. Heinrich’s demonstration suggests that Facebook is doing a poor job of hiding and securing Haystack’s content – failing to extend its user privacy settings out to the data associated with their account.
However, Andy Ellis, the Chief Security Architect at Akamai, said that there’s nothing inherent in CDNs that would make cached content insecure. “We do whatever our customers want us to do. Our network has the capability to ensure that authentication and authorization decisions are made at the point of delivery of content to an end user,” Ellis told Threatpost. Ellis said it is company policy not to discuss or even identify customers by name. However, he said that Akamai customers”have a variety of security controls” at their disposal, including features to purge cached data after a period of time and to pass content requests back through centralized authentication and authorization servers operated by the customer to make sure the requester has permissions to access the data,” Ellis said. However, Ellis acknowledged that more content security translates into slower performance and higher overhead costs.
Neither Heinrich or Facebook responded to e-mail requests for comment.