First, a little context:
I’m a dad, which means I am more familiar with the Elf on the Shelf than I ever dreamed I might be. For the uninitiated, this cute little creature comes to life each night while the kids are fast asleep, usually to get into some sort of mischief before the kids wake up in the morning.
Our elves (that’s right: plural) have climbed into stockings, dangled from high places with pipe cleaners and candy canes, and even started giving each other piano lessons (Up on the Housetop seems to be their favorite). What continues to amaze me is that these damn little elves do this EVERY NIGHT, no matter how late everyone stays up, or how tired dad is, or how much he just wishes he could go to bed and get a good night’s sleep.
Fortunately, the good folks at Elf on a Shelf Gone Bad have made it their mission to share photos of elves who get into a little more… adult-related mischief. For example, one such elf found themselves romantically entangled with a nude doll sporting a Phil Robertson head. Another one appears to have disassembled Sapphire the Reindeer, using a toy chainsaw.
As a Star Wars fan, I was particularly impressed by the elf that had been encased in carbonite, courtesy of a Boba Fett action figure.
I was so impressed, in fact, that I wanted to share it on Facebook and Twitter. Sharing a Facebook pic on Facebook is easy, especially when the owner of the page has lifted the privacy settings so that anybody can find their page. Sharing it on Twitter, though… could I do that?
I do a lot of application security work at Jacadis. One of my responsibilities is to hack into client applications, then show the developers how I did what I did and (more importantly) what they can do to fix those security holes. With that experience under my belt, I have a behind-the-curtain understanding of how web apps work: GETs and POSTs, calls to other domains, identifying parameters you can tamper with… fun stuff.
When it comes to sharing pictures of mischievous elves via social media, this kind of knowledge comes in handy.
Here’s a link to the Facebook album page that contains our carbonite-encased Elf. If you click on that link while you’re logged into Facebook, you’ll see the photo album page (and all the ads on the right). If you’re not logged into Facebook, you’ll still see the picture (sans ads).
But the photo isn’t exactly on Facebook. It’s here.
The Facebook web app runs on one set of servers, while static content (like the elf pic) is stored on another server. It doesn’t matter which link you click, though, or even whether or not you’re logged into Facebook. Either way, you still see the elf.
But what about pics from users who protect their profiles, like my wife? Could someone see her pictures without her permission?
Here’s a link to a picture of me and my kids on Fathers Day, standing just outside of Shedd Aquarium. If you click on the link while you’re logged into Facebook, you’ll see a “content is currently unavailable” message unless you’re one of her friends. Why? Because she locked down her Facebook privacy settings.
But if you aren’t her friend (or if you don’t have a Facebook account), that doesn’t mean you can’t see the picture. All you have to do is click here instead, and boom: picture. Screw Facebook’s ineffective privacy settings.
In web application security speak, this exposure is the result of an insecure direct object reference. When you try to get to the picture through the first link, you’re going through the Facebook web application (where they’ve built in some decent privacy controls). The web app checks to see who you are, checks whether or not you’re allowed to see the file (based on her profile’s privacy settings), and then makes a decision to either show you the file or display the error message. When you try to get to the picture through the second link, you’re skipping all of that program logic and going straight to picture.
This is security through obscurity. Facebook is counting on the fact that the URL is a long (seemingly random) series of numbers to avoid any more negative privacy-related publicity. If there’s on thing I’ve learned in infosec, though, is that security by obscurity is ultimately doomed to fail.
I mean, how could someone figure out direct links to my pictures? It’s not like they could:
- Get the URL’s by sniffing my laptop/smartphone traffic while you’re connected to a public Wi-Fi hotspot;
- Do a little bit of Google hacking to get the search giant to find them for me; or
- Analyze the patterns of multiple file names and then use a tool like PeachFuzzer to try a large number of likely URL combinations until it starts finding valid URL’s.
Of course, if they really wanted to see my Facebook pictures, they’re much more likely to use social engineering tactics in an attempt to get my password. But I digress…
The worst part about this is that there’s NOTHING you can do to prevent people from accessing your Facebook pictures via these direct links. It’s up to Facebook whether or not they can/will make any changes to how their app stores and controls access to the pictures you upload to their site..
With that in mind, maybe you should think twice about what you upload to The Face.
Now you know, and knowing is half the battle. – G.I. Joe