9

I'm interested in social networks and have stumbled upon something which makes me curious.

How does facebook keep people from playing with URLs and gaining access to photos they should not?

Let me expand, here's an altered example of a facebook image URL that came up on my feed-

https://fbcdn-sphotos-g-a.akamaihd.net/hphotos-ak-prn1/s480x480/{five_digit_number}_{twelve_digit_number}_{ten_digit_number}_n.jpg

So, those with more web application experience will presumably know the answer to this, I suspect it's well understood, but what is to stop me from changing the numbers and seeing other people's photos that possibly I'm not supposed to?

[I understand that this doesn't work, I'm just trying to understand how they maintain security and avoid this problem]

Many thanks in advance,

Nick

Kev
  • 118,037
  • 53
  • 300
  • 385
goose
  • 2,502
  • 6
  • 42
  • 69
  • 2
    I believe it is security by obscurity, nothing prevents you from accessing those pictures if you have their URL. There's no way you're going to 'guess' a 27 digits number. – Thomas Orozco Oct 20 '12 at 16:33

1 Answers1

9

There's a couple ways you can achieve it.

  1. The first is link to a script or action that authenticates the request, and then returns an image. You can find an example with ASP.NET MVC here. The downside is it's pretty inefficient, and you run the risk of twice the bandwidth for each request (once so your server can grab the image from wherever it's stored, and once to serve it to your users).

  2. The second option, you can do like Facebook and just generate obscure url's for each photo. As Thomas said in his comment, you're not going to guess a 27 digit number.

  3. The third option I think is the best, especially if you're using something like Microsoft Azure or Amazon S3. Azure Blob Storage supports Shared Access Signatures, which let's you generate temporary url's for private files. These can be set to expire in a few minutes, or last a lifetime. The files are served directly to the user, and there's no risk if the url leaks after the expiration period.

    Amazon S3 has something similar with Query String Authentication.

Ultimately, you need to figure out your threat model, and make a decision weighing the pros and cons of each approach. On Facebook, these are images that have presumably been shared with hundreds of friends. There's a significantly lower expectation of privacy, and so maybe authenticating every request is overkill. A random, hard to guess URL is probably sufficient, and let's them serve data through their CDN, and minimizes the amount of processing per request. With Option 3, you're still going to have overhead of generating those signed URL's.

Community
  • 1
  • 1
mfanto
  • 14,168
  • 6
  • 51
  • 61
  • Thanks for your input, I was surprised to learn of facebook's approach. I'm also now curious about the term you used- 'threat model'. Is there something behind this, an approach to modelling undesired behaviour that I can read about? – goose Oct 20 '12 at 17:01
  • 1
    Threat modeling and risk assessment is a pretty big field of computer security. You can probably get started reading about it here http://en.wikipedia.org/wiki/Threat_model. But the overview is, you need to consider what your attackers goals are, the resources they have, the tradeoffs of security mechanisms (costs, convince), and your level of acceptable risk. In the Facebook case, these are "public" photos, and you want to stop casual snooping. The consequence if someone finds a url is pretty low. So maybe you don't need such strong protection in place. – mfanto Oct 20 '12 at 17:09
  • 2
    On the other hand, if this is medical imaging data, then you're probably trying to stop directed attacks, and the consequences of a breach are significant, in the millions of dollars. If you're a dissident in a hostile country, then your adversary has near limitless resources, and the consequences are life, and so maybe serious inconvenience is ok. You already threat model every day, when you choose to lock your doors and thus deal with keys, when you plan your route home, etc. It's just applying this to your architecture. – mfanto Oct 20 '12 at 17:14