An Australian security researcher has compromised Facebook security in the most personal way imaginable, publically ‘hacking’ private photographs posted to the service by the wife of a disliked rival security professional.
The declared intention of Christian Heinrich’s session 'For God Your Soul... For Me Your Flesh', presented to a reported 20 attendees of the Australian Security B-Sides conference, was to expose the weakness of Facebook’s privacy settings.
Controversially, the IT contractor chose to prove his point by accessing private photographs posted to the social media site by the wife of a man he is reported to dislike, HackLabs director Chris Gatford.
Heinrich’s ‘hack’ took seven days and involved guessing the URL of private Facebook images stored by Facebook using a separate content delivery network (CDN), which in his view represents a major security weakness for anyone posting personal data to the site. He was also able to hack into the couple’s private images on Flickr.
"I have no ethical qualms about publishing the photos," Heinrich was reported to have told the Sydney Morning Herald newspaper. "They are in the public domain."
Opinions about the legitimacy of the demo seem divided between those who see it as an unethical invasion of privacy and others who think Heinrich has exposed the weakness of Facebook’s privacy system in a useful way. Some will simply question why he needed to make his point in such a personal way.
That the unorthodox presentation happened at the Australian B-Sides security event will not come as a surprise to everyone. The philosophy of this event - which also made its London debut last month after well-attended events in the US during 2010 - is that speakers do not have to work for vendors in order to be accepted to present. It welcomes individual researchers, including those with quirky outlooks on the subject.
There is no indication that the B-Sides organisers knew of or approved the full content of Heinrich’s presentation in advance.
The presentation was only witnessed by a handful of people, but as any security researcher should know, nothing that happens is ever safe from the all-seeing eye-in-the-wire known as the Internet.