I did the same for two Facebook notifications, from different friends, and both tagged their city (Tuscaloosa, AL didn't surprise me, but Blountstown, FL? That's fairly targetted).
Are we sure this is the ip address of the user and not just the ip address of one of facebook's servers?
If it is a user's address... is that a problem? This seems like very easy to obtain online information... for example, by sending an email to the person im trying to talk with via facebook...
It's the user (I tested with 2 friends to verify). Here's a scenario we talked about in my house: Once potential problem: friends-of-friends. A friend-of-friend comments on something your mutual friend put out, you then comment, the first friend (whom you don't know) can use this trick to ballpark your location.
Right. But you're all talking to each other. It seems to me this same info would still be available to everyone if you were emailing each other. I don't really see this one as a huge security risk...
Did you test the problem you described? If it works, this is the only potential flaw I see. Including IP addresses with messages still doesn't seem like a bad thing regardless.
It allows some basic location tracking. The real world impact is minimal and easily obtained through other methods. If your friends or family want to track your location it's time to reconsider your relationships with them in my opinion.
"Every other day I see facebook and privacy in the same sentence.."
That's because Facebook-bashing has become fashionable. There is absolutely nothing wrong with the behavior described in the article. It's how email is supposed to work. There is no way to accidentally include the IP address in an email header. They (presumably) do it on purpose.
Does anyone know of a site that tracks all of these privacy problems (and potential problems) with Facebook? Following up and keeping track is the best way to keep FB accountable, and I'm sure a lot of media people would use such a site.
I just did this on an email about a comment on my wall post by someone at a nonprofit. Sure enough, it came up with not just an IP, but a subdomain listing that nonprofit's domain name.
Someone commented on that page that leaking user's IP address is a common spam-prevention practice. I just checked gmail and Yahoo Mail, and they both include my IP address in the header of outgoing messages
For instance, Yahoo Mail puts my IP address in a line like this
Correct - Yahoo and others put the IP address of the client that sent the mail in the SMTP headers.
Example:
Received: from [x.x.x.x] by web113916.mail.gq1.yahoo.com via HTTP; Fri, 07 May 2010 18:59:00 PDT
In this test case, x.x.x.x is my current IP address, not Yahoo!'s. The HTTP indicates that I used a browser, not POP/IMAP.
They've been doing that for years. It's handy as heck when you need to track an e-mail - you don't have to bother Yahoo with a subpoena - you can go right to the client's ISP.
There is no reason Facebook shouldn't do the same thing.
Edit: Comcast does:
X-Originating-IP: [x.x.x.x]
Google is weird:
Received: by 10.216.27.139 with HTTP; Fri, 7 May 2010 19:34:21 -0700 (PDT)
"IP addresses can be considered sensitive information. As such, Gmail may hide sender IP address information from outgoing mail headers in some circumstances."
How did you send it using gmail? I just sent two via the web interface, one to a gmail account and another to a non-gmail account, the originating ip is 209.85.221.175 (a google ip address) and my current IP doesn't show up anywhere in the headers.
gmail reveals the sender's IP address only when sending mail via (authenticated) SMTP. The IP address is hidden when sending mail via the web interface.
When I wrote a web-to-email gateway in 1994 it added a Received header with the web client IP address. Back then it was a harassment-prevention practice, because spam was either nonexistent or not a problem.
IMO, Email systems originally have been designed that way to facilitate traceability. When webmail came, it's natural that they followed this practice.
Facebook is a closed system. When you send a message to someone on Facebook, you presume that you are adding that message within Facebook. The notification email that Facebook sends to the recipient is just that, a notification generated by the Facebook system. You, the sender of the message is not part of this notification system, though you your action triggered the notification. There is no reason why the sender's IP should be exposed in this flow under normal circumstances.
Why does this matter? I get others IPs and send my IP all the time (e.g. IRC). If I was worried about my IP, I would use something like tor when doing everything. But worrying about IPs seems... silly An IP is just so uninformative, unless somebody subpoenas my ISP or something.
I'm just... not concerned? Anything you do online leaks your IP address. If a friend embeds a photo from Flickr into their feed, and you load it, consider your IP leaked. etc, etc, etc
1) Someone tagged me in a photo and it leaked their IP address.
2) Someone who is not even my friend commented on someone's status, and I got a notification because I made a comment before her. It leaked her IP address to me.
These situations are not comparable to e-mail, and I seriously doubt these people reasonably expected their IP address to be sent to me based on these actions.
"Leaks IP address" as a dramatic headline is an indicator that the poster is not-so savvy about networks and security. Seriously, this is the level of knowledge I observed in the typical high school student 3 years ago or so.
54 comments
[ 5.1 ms ] story [ 113 ms ] threadIs this the best scenario they could come up with where this is a problem?
http://bit.ly/bCrVll
Take the Base64 string from this line in the headers:
X-Facebook: from zuckmail ([OTguMTgzLjI0Ny4yMTg=])
Are we sure this is the ip address of the user and not just the ip address of one of facebook's servers?
If it is a user's address... is that a problem? This seems like very easy to obtain online information... for example, by sending an email to the person im trying to talk with via facebook...
That's because Facebook-bashing has become fashionable. There is absolutely nothing wrong with the behavior described in the article. It's how email is supposed to work. There is no way to accidentally include the IP address in an email header. They (presumably) do it on purpose.
LEFT 90 UP 90
move turtle move!
Yes, it works.
For instance, Yahoo Mail puts my IP address in a line like this
Received: from [xxx.xxx.xxx.xxx]
Example:
Received: from [x.x.x.x] by web113916.mail.gq1.yahoo.com via HTTP; Fri, 07 May 2010 18:59:00 PDT
In this test case, x.x.x.x is my current IP address, not Yahoo!'s. The HTTP indicates that I used a browser, not POP/IMAP.
They've been doing that for years. It's handy as heck when you need to track an e-mail - you don't have to bother Yahoo with a subpoena - you can go right to the client's ISP.
There is no reason Facebook shouldn't do the same thing.
Edit: Comcast does:
X-Originating-IP: [x.x.x.x]
Google is weird:
Received: by 10.216.27.139 with HTTP; Fri, 7 May 2010 19:34:21 -0700 (PDT)
I'm not on a 10.x address. Hmmm....
They only said they may hide it.
Edit: it doesn't show up base64 encoded, either.
Facebook is a closed system. When you send a message to someone on Facebook, you presume that you are adding that message within Facebook. The notification email that Facebook sends to the recipient is just that, a notification generated by the Facebook system. You, the sender of the message is not part of this notification system, though you your action triggered the notification. There is no reason why the sender's IP should be exposed in this flow under normal circumstances.
And in addition to your secure wireless SSID, you have an open SSID at your house that you maintain just for that reason, right?
Mine's named Free_Porn.
2) Someone who is not even my friend commented on someone's status, and I got a notification because I made a comment before her. It leaked her IP address to me.
These situations are not comparable to e-mail, and I seriously doubt these people reasonably expected their IP address to be sent to me based on these actions.
X-Facebook: from zuckmail ([MTI3LjAuMC4x])
(127.0.0.1)
So I guess, nothing else to see here. Move along.
Here's a segment of an email header from 2006: