Apparently Facebook considers your current IP address to be "public information" as well.

See that header in your Facebook notification email that looks like this?

    X-Facebook: from zuckmail ([NzYuMTY5LjIzLjU2])

That's your friend's IP address:

    % perl -MMIME::Base64 -le 'print decode_base64("NzYuMTY5LjIzLjU2")'

[Slow-clap animation goes here.]

Current Music: Kenickie -- Spies ♬

24 Responses:

  1. mcfnord says:

    if they're not really my friend, i'd love to have their ip address.

  2. teferi says:

    "Base64! No one will think of that! We're so clever."

  3. drauh says:

    I checked on some, and a couple gave me private addresses (10.*.*.* block), and a couple gave me the external IP assigned by their ISP (Comcast, in one case).

    • supersat says:

      I noticed this a while ago, but it seemed like only the spammy fan suggestions like "Get a free iPad!!!!" had internal IPs. So, either Facebook fucked up their implementation of this "feature", or they got compromised. Neither bodes well for Facebook.

      I've also caught fan suggestions coming from address space allocated to a shady colo. It's pretty obvious that the accounts were compromised, but as far as I know, Facebook has done nothing about it.

  4. anarqueso says:

    Facebook stinks of dystopia. Worse, it's boring. I just deleted my account. Here's how:

    Hope it works.

    • lafinjack says:

      jwz doesn't really have that option, unless he wants to lose business at the bar. It's become standard that hip businesses have Facebooks, and all the alerts and junk that go along with a Facebook.

  5. malokai says:

    Hotmail/gmail does this as well.

  6. jered says:

    Blah blah blah, I totally don't have a problem that they do this, but I do have a problem that they obscure it.

  7. editer says:

    Here's a cool/scary visualization of FB's evolving "privacy" policy over time.

    (recaptcha: "retreat factory")

  8. andr00 says:

    Sure, people are saying "big deal, email has IPs!" But in this case, every facebook action which causes a mail to be sent seems to carry the IP of the actor in that email.

    So, if I go hit "Like" on something someone does, and a bunch of people who may or may not know about this particular feature make comments on the same thing.. I get all of their IPs emailed to me. Now I know some of their locations. Now I know where some of them work. They have not added me to any kind of list, or attempted to communicate directly with me at all. They probably never even saw my name because it's hidden in a "N people like this" list.

    It's a real big help for obsessed ex-stalkers who still share a few friends with their victim. Thanks, Facebook!

  9. lifftchi says:

    Zuckmail? How arrogant is this guy?

  10. boggyb says:

    I wonder if they've just changed it, as the facebook emails I've received this morning now have as the address:

    X-Facebook: from zuckmail ([MTI3LjAuMC4x])
    by with HTTP (ZuckMail);

    (one at Fri, 07 May 2010 17:10:50 -0500 has a public address, the next one at Sat, 08 May 2010 02:26:40 -0500 and all emails after that have

  11. alexmizell says:

    I just tried four, and three of them had an apparently correct IP address in it. One was, this was a wall post from one of my friends to another. I suspect that was the difference but my sample was pretty small so I dunno.

    While it's true that ways to find IP addresses are common, Facebook doesn't have to make it so easy. By way of analogy it's not that hard to find out my street address and cell phone number, but I don't want them posted on my Facebook profile page, which is effectively what Facebook just did to my IP. It's hard to imagine why it would be a good thing to announce that information to everyone. Livejournal gets a pass because they only out your IP once for each comment, and you clearly know it's happening. This Facebook thing is an ongoing up date on your IP address, which is important because it probably changes a lot. It's a cyber stalkers wet dream.

  12. that_xmas says:'re not using the IP address to physical location mapping to find out where your most prolific commenters
    are located? So you can do some location analysis to figure out where you need to increase spending in your local advertising and where you can spend less?

  13. pgn674 says:

    I just checked three emails I got this morning saying people wrote on my wall or invited me to something. All decoded to "" (coded as "MTI3LjAuMC4x"). A message from 3 days ago saying someone accepted my friend request gave me a real IP. Maybe Facebook has since started anonymizing it?

  14. bschnitt says:

    We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we've discontinued it. Thank you for bringing this to our attention.


    Barry Schnitt
    Director, Policy Communications

  15. hadlock says:

    35 minute response time for fixing a security hole isn't half bad. Thanks Barry!