54 comments

[ 5.1 ms ] story [ 113 ms ] thread
Not speculation. I just tried this with a few folks, and it works as advertised.
but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication

Is this the best scenario they could come up with where this is a problem?

Yep. Confirmed. Command line example:

Take the Base64 string from this line in the headers:

X-Facebook: from zuckmail ([OTguMTgzLjI0Ny4yMTg=])

  $ ruby -rbase64 -e "puts Base64::decode64('NzQuMTI1Ljk1LjEwNA==')"
  74.125.95.104
That confirms that it's a IP address, not that it's his.
(comment deleted)
Or - that confirms that it's 32 bit number that when represented as a dotted quad appears to be an IP address.
I did the same for two Facebook notifications, from different friends, and both tagged their city (Tuscaloosa, AL didn't surprise me, but Blountstown, FL? That's fairly targetted).
Note: I havent experimented with this yet.

Are we sure this is the ip address of the user and not just the ip address of one of facebook's servers?

If it is a user's address... is that a problem? This seems like very easy to obtain online information... for example, by sending an email to the person im trying to talk with via facebook...

It's the user (I tested with 2 friends to verify). Here's a scenario we talked about in my house: Once potential problem: friends-of-friends. A friend-of-friend comments on something your mutual friend put out, you then comment, the first friend (whom you don't know) can use this trick to ballpark your location.
Right. But you're all talking to each other. It seems to me this same info would still be available to everyone if you were emailing each other. I don't really see this one as a huge security risk...
Did you test the problem you described? If it works, this is the only potential flaw I see. Including IP addresses with messages still doesn't seem like a bad thing regardless.
It allows some basic location tracking. The real world impact is minimal and easily obtained through other methods. If your friends or family want to track your location it's time to reconsider your relationships with them in my opinion.
Perl 1-liner: http://bit.ly/cNHkzQ Every other day I see facebook and privacy in the same sentence..
Usually with a negative in the sentence somewhere.
"Every other day I see facebook and privacy in the same sentence.."

That's because Facebook-bashing has become fashionable. There is absolutely nothing wrong with the behavior described in the article. It's how email is supposed to work. There is no way to accidentally include the IP address in an email header. They (presumably) do it on purpose.

Can someone write a GUI in Visual Basic to track these IPs please?
will do after i finish my logowriter script

LEFT 90 UP 90

move turtle move!

It's turtles all the way left and up then ? I thought they only went down ;)
That's an insult to Logo.
I'm assuming you got downvoted because no one saw that episode of Criminal Minds. Heh.
Does anyone know of a site that tracks all of these privacy problems (and potential problems) with Facebook? Following up and keeping track is the best way to keep FB accountable, and I'm sure a lot of media people would use such a site.
there might be a facebook group for it...
I just did this on an email about a comment on my wall post by someone at a nonprofit. Sure enough, it came up with not just an IP, but a subdomain listing that nonprofit's domain name.

Yes, it works.

(comment deleted)
Someone commented on that page that leaking user's IP address is a common spam-prevention practice. I just checked gmail and Yahoo Mail, and they both include my IP address in the header of outgoing messages

For instance, Yahoo Mail puts my IP address in a line like this

Received: from [xxx.xxx.xxx.xxx]

Correct - Yahoo and others put the IP address of the client that sent the mail in the SMTP headers.

Example:

Received: from [x.x.x.x] by web113916.mail.gq1.yahoo.com via HTTP; Fri, 07 May 2010 18:59:00 PDT

In this test case, x.x.x.x is my current IP address, not Yahoo!'s. The HTTP indicates that I used a browser, not POP/IMAP.

They've been doing that for years. It's handy as heck when you need to track an e-mail - you don't have to bother Yahoo with a subpoena - you can go right to the client's ISP.

There is no reason Facebook shouldn't do the same thing.

Edit: Comcast does:

X-Originating-IP: [x.x.x.x]

Google is weird:

Received: by 10.216.27.139 with HTTP; Fri, 7 May 2010 19:34:21 -0700 (PDT)

I'm not on a 10.x address. Hmmm....

How did you send it using gmail? I just sent two via the web interface, one to a gmail account and another to a non-gmail account, the originating ip is 209.85.221.175 (a google ip address) and my current IP doesn't show up anywhere in the headers.

Edit: it doesn't show up base64 encoded, either.

I don't see my IP in the headers of mail sent from GMail, either. I also tried sending via my phone and got the same results.
Been trying to figure that out for ages... if there really is a way that would be huge.
gmail reveals the sender's IP address only when sending mail via (authenticated) SMTP. The IP address is hidden when sending mail via the web interface.
I sent it using gmail's web interface. My IP address shows up in "X-Originating-IP" part of header
I can see that Yahoo mail adds the originating IP address, but not Gmail.
When I wrote a web-to-email gateway in 1994 it added a Received header with the web client IP address. Back then it was a harassment-prevention practice, because spam was either nonexistent or not a problem.
IMO, Email systems originally have been designed that way to facilitate traceability. When webmail came, it's natural that they followed this practice.

Facebook is a closed system. When you send a message to someone on Facebook, you presume that you are adding that message within Facebook. The notification email that Facebook sends to the recipient is just that, a notification generated by the Facebook system. You, the sender of the message is not part of this notification system, though you your action triggered the notification. There is no reason why the sender's IP should be exposed in this flow under normal circumstances.

Why does this matter? I get others IPs and send my IP all the time (e.g. IRC). If I was worried about my IP, I would use something like tor when doing everything. But worrying about IPs seems... silly An IP is just so uninformative, unless somebody subpoenas my ISP or something.
"unless somebody subpoenas my ISP or something"

And in addition to your secure wireless SSID, you have an open SSID at your house that you maintain just for that reason, right?

Mine's named Free_Porn.

It must suck for the one user who has had all their IP address's leaked.
I'm just... not concerned? Anything you do online leaks your IP address. If a friend embeds a photo from Flickr into their feed, and you load it, consider your IP leaked. etc, etc, etc
Leaked to Flickr, not to a Flickr user, unless I am missing something.
Seems Facebook users are born in 2009 or after wards. Every email service sends your IP address with the email. The exception is Google.
Every? My mail appears to originate from mail.jrock.us, my MX, regardless of whether or not its actually composed on that machine.
1) Someone tagged me in a photo and it leaked their IP address.

2) Someone who is not even my friend commented on someone's status, and I got a notification because I made a comment before her. It leaked her IP address to me.

These situations are not comparable to e-mail, and I seriously doubt these people reasonably expected their IP address to be sent to me based on these actions.

I'd be surprised if someone really wanted my IP they couldn't get it just by getting me to visit something off facebook.
"Leaks IP address" as a dramatic headline is an indicator that the poster is not-so savvy about networks and security. Seriously, this is the level of knowledge I observed in the typical high school student 3 years ago or so.
They changed it. The new header is:

X-Facebook: from zuckmail ([MTI3LjAuMC4x])

(127.0.0.1)

So I guess, nothing else to see here. Move along.

And so does every popular webmail provider. I remember learning about this when I was 12.
Your computer may be broadcasting an IP address!!
Your computer is broadcast an IP address!
This is not new at all.

Here's a segment of an email header from 2006:

  X-Facebook: from zuckmail ([128.208.54.23])
          by washington.facebook.com with HTTP (ZuckMail);
  Date: Sun, 10 Dec 2006 12:31:27 -0800