Update: It looks like Facebook fixed the default behavior of the sent emails. Your IP Address is no longer included in the notification emails. I will give Facebook credit that they solved this in less than 24 hours. Now, if they can just shore up some of the other issues…

Original Post:

Facebook has nice email notifications whenever a friend comments on your status, sends you a message, or a variety of other reasons. The emails have subjects similar to “John Doe commented on your wall post.” The unfortunate thing is that this email also appears to contain John Doe’s (or your other friend’s) IP address.

The email headers contain a line similar to:

X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])

Copy this line out and feed it to this page:

http://www.myiptest.com/staticpages/index.php/trace-email-sender

You will get the IP address of your friend and clicking on it will get a geolocation-based map. This will also show you if your friend used their cell phone to post and who they use as their service provider.

This information is great when a fugitive is taunting law enforcement through their Facebook page, but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication.

This isn’t the end of the world compared to some of Facebook’s other privacy problems, however, there is simply no need for Facebook to include these IP addresses and it should be quickly fixed.

Facebook is rolling out the new Privacy options today. There are a couple good things and a couple bad things. I suggest reading this article by the EFF for a good breakdown on the new changes. Sadly, your friends still have some bearing over how your information is used. In my opinion, Applications still get way too much leeway on what personal information they are able to see, collect, and use.

To maximize your privacy, I suggest the following changes. This guide should walk you through each screen and make sure you don’t miss anything important.

The basic Privacy Settings screen looks like this:
Start with the first group, Profile Information. There are several settings to update and every choice within this group should be set to “Friends Only”. You’ll have to click the Edit Settings button for Photo Albums and set each album to “Friends Only” as well.

The next group is Contact Information. This is how my settings look, but you may want to adjust for your own tastes.

The next group is Applications and Websites. The options here are:
For “What you share”, click on Learn More and you’ll see an info screen. Click the link in the very last sentence or just go here.

Click on “Edit Settings” for each application. Change the options to “Friends Only”. You might want to look at the “Additional Permissions” to see if the application can post to your stream.

Also, on the top right of this screen there is the drop down box labeled “Show”. Make sure you go through all of those screens so that you don’t miss any applications.

A quick note about Applications… make sure you delete any Applications you aren’t using. Every application has access to your personal information and this really isn’t a good thing. Take it straight from the creator of Mafia Wars.

The next group within Applications and Websites is “What Your Friends Can Share About You”. Uncheck everything and then click Save Changes.

The last two sections, “Blocked Applications” and “Ignore Application Invites” probably don’t need to be edited.

The fourth main section is Search. In this section you will need to Uncheck “Allow Indexing” and set “Appear in Search Results” to “Friends of Friends” or “Friends Only”. This section will help restrict the general public from finding your profile. Again, the point of this article and the settings presented is to protect your privacy.

The last main section is Block List and probably doesn’t need to be edited at this time.

Now we’ve walked through the main sections to protect your privacy. This is a great first step, but as the EFF article points out

Looking even closer at the new Facebook privacy changes, things get downright ugly when it comes to controlling who gets to see personal information such as your list of friends. Under the new regime, Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a “fan” of — as “publicly available information” or “PAI.”

To help minimize what you’re sharing with the public, you’ll have to change some of this info as well.

To begin, click on “Edit My Profile” underneath your profile picture. Uncheck “Show my sex in my profile” and make sure the dropdown box underneath your birthday is set to “Don’t show my birthday in my profile”.

Next find the box on the lefthand pane that shows your friends. Click on the pencil and uncheck the box that says “Show my friends on my profile”.

Your profile picture is displayed publicly despite your Photo Album settings. If you’re not comfortable showing your picture to the world, change it to something else.

The final pieces of information will have to be removed entirely if you don’t want them publicly displayed. Current City, Networks, Recent Activity, and Fan Pages are all publicly available. I deleted everything (although I really didn’t have much to begin with).

To see how your new Profile looks to the public, click on Privacy Settings, Profile Information, and then Preview Profile. If there is any information displayed that you don’t want, go back through the settings and remove it. Again, some things must be manually deleted.

After following these steps, the only information I have publicly displayed is my name, my fake profile picture, and one Fan Page.

Good luck changing your settings. If there was something I missed, please let me know in the comments. If you have trouble changing a setting, let me know that as well and I’ll try to help you out.

Here is a news story that Jim and I participated in on Facebook and securing your private information.

http://www.wowt.com/home/headlines/67332677.html

Another article came along regarding Facebook security and hijacked applications. What I found most interesting was this quote:

On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz…or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.

“…or even when your friend takes one.” I’ve always thought that it’s kind of shady that quizzes and applications can access my friends’ personal data. I shy away from the apps and quizzes for this specific reason. But, are my friends providing me the same courtesy? By being on Facebook, am I putting my personal information security in my friends’ hands? Facebook has done better with increased privacy settings, and hopefully users have changed those settings to be more restrictive.

If I was a malicious user, I would absolutely create as many quizzes as I could that would take advantage of the automatic data mining capabilities of Facebook.

It seems like a recurring theme on this blog lately, but be careful of what you post online.

While catching up on links that I saw filtering through on twitter this week, I came across a very good write up on using Facebook to help with a pentest. This sort of indirect approach is always great, and with social media (still!) being rather new to many companies and users, there are not defenses up in many cases.

And for that matter, how do you create a off the shelf product to protect against this sort of attack? It seems like far too often, if there is not an off the shelf product, companies don’t have any protection. Anything that is not just off the shelf is actually work to get in place, sooo….

Never discount the laziness of a target.