X-Facebook: from zuckmail ([NzYuMTY5LjIzLjU2])
That's your friend's IP address:
% perl -MMIME::Base64 -le 'print decode_base64("NzYuMTY5LjIzLjU2")'
76.169.23.56
[Slow-clap animation goes here.]
Apparently Facebook considers your current IP address to be "public information" as well.
See that header in your Facebook notification email that looks like this?
Tags: security
Current Music: Kenickie -- Spies ♬
24 Responses:
if they're not really my friend, i'd love to have their ip address.
"Base64! No one will think of that! We're so clever."
Hey, maybe when they send my data to the Farmville people because one of my friends likes to grow fake tomatoes, they could put it in ROT-13.
Dual rounds of ROT13 for extra security.
Well, you can't be too careful.
Sorry, I couldn't read that because of the heavy encryption.
Why stop at 2, ROT
52104 should be damn near uncrackable!I checked on some, and a couple gave me private addresses (10.*.*.* block), and a couple gave me the external IP assigned by their ISP (Comcast, in one case).
I noticed this a while ago, but it seemed like only the spammy fan suggestions like "Get a free iPad!!!!" had internal IPs. So, either Facebook fucked up their implementation of this "feature", or they got compromised. Neither bodes well for Facebook.
I've also caught fan suggestions coming from address space allocated to a shady colo. It's pretty obvious that the accounts were compromised, but as far as I know, Facebook has done nothing about it.
Facebook stinks of dystopia. Worse, it's boring. I just deleted my account. Here's how:
http://www.groovypost.com/howto/security/permanently-delete-your-facebook-profile-account/
Hope it works.
jwz doesn't really have that option, unless he wants to lose business at the bar. It's become standard that hip businesses have Facebooks, and all the alerts and junk that go along with a Facebook.
Hotmail/gmail does this as well.
Blah blah blah, I totally don't have a problem that they do this, but I do have a problem that they obscure it.
Here's a cool/scary visualization of FB's evolving "privacy" policy over time.
(recaptcha: "retreat factory")
That is awesome.
Sure, people are saying "big deal, email has IPs!" But in this case, every facebook action which causes a mail to be sent seems to carry the IP of the actor in that email.
So, if I go hit "Like" on something someone does, and a bunch of people who may or may not know about this particular feature make comments on the same thing.. I get all of their IPs emailed to me. Now I know some of their locations. Now I know where some of them work. They have not added me to any kind of list, or attempted to communicate directly with me at all. They probably never even saw my name because it's hidden in a "N people like this" list.
It's a real big help for obsessed ex-stalkers who still share a few friends with their victim. Thanks, Facebook!
Zuckmail? How arrogant is this guy?
With few exceptions, CEOs come in two flavors: Arrogant and Destitute.
I wonder if they've just changed it, as the facebook emails I've received this morning now have 127.0.0.1 as the address:
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
by http://www.facebook.com with HTTP (ZuckMail);
(one at Fri, 07 May 2010 17:10:50 -0500 has a public address, the next one at Sat, 08 May 2010 02:26:40 -0500 and all emails after that have 127.0.0.1).
I just tried four, and three of them had an apparently correct IP address in it. One was 127.0.0.1, this was a wall post from one of my friends to another. I suspect that was the difference but my sample was pretty small so I dunno.
While it's true that ways to find IP addresses are common, Facebook doesn't have to make it so easy. By way of analogy it's not that hard to find out my street address and cell phone number, but I don't want them posted on my Facebook profile page, which is effectively what Facebook just did to my IP. It's hard to imagine why it would be a good thing to announce that information to everyone. Livejournal gets a pass because they only out your IP once for each comment, and you clearly know it's happening. This Facebook thing is an ongoing up date on your IP address, which is important because it probably changes a lot. It's a cyber stalkers wet dream.
So...you're not using the IP address to physical location mapping to find out where your most prolific commenters
are located? So you can do some location analysis to figure out where you need to increase spending in your local advertising and where you can spend less?
I just checked three emails I got this morning saying people wrote on my wall or invited me to something. All decoded to "127.0.0.1" (coded as "MTI3LjAuMC4x"). A message from 3 days ago saying someone accepted my friend request gave me a real IP. Maybe Facebook has since started anonymizing it?
We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we've discontinued it. Thank you for bringing this to our attention.
Best,
Barry
--
Barry Schnitt
Director, Policy Communications
Facebook
barry@facebook.com
650.543.4979
35 minute response time for fixing a security hole isn't half bad. Thanks Barry!