Another Facebook #Fail

How many more of these privacy leaks must we endure from Facebook?  Here’s another hack that I was told about and have confirmed true.  I believe it’s fixed at this point, but for all of the millions of other Facebook notifications *THIS WORKS*

In the mail header of the email there is a very weak encryption in place:

X-Facebook: from zuckmail ([MjA5Ljg1LjIyNS4xMDQ=])

So all you have to do is decode the MIME base64 string:

$ perl -MMIME::Base64 -e 'print decode_base64("MjA5Ljg1LjIyNS4xMDQ=");' or just go to a base64 Decoder site.

THE SHOCKER?!?  IT’S YOUR IP ADDRESS!

209.85.225.104

It’s child’s play to track someone’s IP address right back to their front door step.  This is just another reason I’ve cancelled my Facebook account permanently.  As of this writing, I believe the hash does now only resolve to 127.0.0.1, but WTF?  This is simple stuff guys…