Facebook leaks user's IP addresses (opens in new tab)

(binint.com)

148 pointsrdj16y ago52 comments

52 comments

52 comments · 20 top-level

yaroslavvb16y ago· 12 in thread

Someone commented on that page that leaking user's IP address is a common spam-prevention practice. I just checked gmail and Yahoo Mail, and they both include my IP address in the header of outgoing messages

For instance, Yahoo Mail puts my IP address in a line like this

Received: from [xxx.xxx.xxx.xxx]

nebula16y ago

IMO, Email systems originally have been designed that way to facilitate traceability. When webmail came, it's natural that they followed this practice.

Facebook is a closed system. When you send a message to someone on Facebook, you presume that you are adding that message within Facebook. The notification email that Facebook sends to the recipient is just that, a notification generated by the Facebook system. You, the sender of the message is not part of this notification system, though you your action triggered the notification. There is no reason why the sender's IP should be exposed in this flow under normal circumstances.

danieldon16y ago

How did you send it using gmail? I just sent two via the web interface, one to a gmail account and another to a non-gmail account, the originating ip is 209.85.221.175 (a google ip address) and my current IP doesn't show up anywhere in the headers.

Edit: it doesn't show up base64 encoded, either.

mct16y ago

gmail reveals the sender's IP address only when sending mail via (authenticated) SMTP. The IP address is hidden when sending mail via the web interface.

yaroslavvb16y ago

I sent it using gmail's web interface. My IP address shows up in "X-Originating-IP" part of header

yellowbkpk16y ago

I don't see my IP in the headers of mail sent from GMail, either. I also tried sending via my phone and got the same results.

ohashi16y ago

Been trying to figure that out for ages... if there really is a way that would be huge.

rm-rf16y ago

Correct - Yahoo and others put the IP address of the client that sent the mail in the SMTP headers.

Example:

Received: from [x.x.x.x] by web113916.mail.gq1.yahoo.com via HTTP; Fri, 07 May 2010 18:59:00 PDT

In this test case, x.x.x.x is my current IP address, not Yahoo!'s. The HTTP indicates that I used a browser, not POP/IMAP.

They've been doing that for years. It's handy as heck when you need to track an e-mail - you don't have to bother Yahoo with a subpoena - you can go right to the client's ISP.

There is no reason Facebook shouldn't do the same thing.

Edit: Comcast does:

X-Originating-IP: [x.x.x.x]

Google is weird:

Received: by 10.216.27.139 with HTTP; Fri, 7 May 2010 19:34:21 -0700 (PDT)

I'm not on a 10.x address. Hmmm....

known16y ago

Headers of http://groups.google.com/ posts reveal IP address

LiveTheDream16y ago

I can see that Yahoo mail adds the originating IP address, but not Gmail.

brlewis16y ago

When I wrote a web-to-email gateway in 1994 it added a Received header with the web client IP address. Back then it was a harassment-prevention practice, because spam was either nonexistent or not a problem.

mikexstudios16y ago

I thought Gmail doesn't include the sender's IP address in their outgoing mail: http://mail.google.com/support/bin/answer.py?hl=en&answe....

alexyim16y ago

"IP addresses can be considered sensitive information. As such, Gmail may hide sender IP address information from outgoing mail headers in some circumstances."

They only said they may hide it.

wildmXranat16y ago· 5 in thread

Can someone write a GUI in Visual Basic to track these IPs please?

iamdave16y ago

I'm assuming you got downvoted because no one saw that episode of Criminal Minds. Heh.

jasonlbaptiste16y ago

will do after i finish my logowriter script

LEFT 90 UP 90

move turtle move!

jacquesm16y ago

It's turtles all the way left and up then ? I thought they only went down ;)

roach16y ago

That's an insult to Logo.

shrikant16y ago

Link for down-voters: http://www.youtube.com/watch?v=hkDD03yeLnU

harshpotatoes16y ago· 4 in thread

Note: I havent experimented with this yet.

Are we sure this is the ip address of the user and not just the ip address of one of facebook's servers?

If it is a user's address... is that a problem? This seems like very easy to obtain online information... for example, by sending an email to the person im trying to talk with via facebook...

rdjOP16y ago

It's the user (I tested with 2 friends to verify). Here's a scenario we talked about in my house: Once potential problem: friends-of-friends. A friend-of-friend comments on something your mutual friend put out, you then comment, the first friend (whom you don't know) can use this trick to ballpark your location.

harshpotatoes16y ago

Right. But you're all talking to each other. It seems to me this same info would still be available to everyone if you were emailing each other. I don't really see this one as a huge security risk...

natrius16y ago

Did you test the problem you described? If it works, this is the only potential flaw I see. Including IP addresses with messages still doesn't seem like a bad thing regardless.

jsz016y ago

It allows some basic location tracking. The real world impact is minimal and easily obtained through other methods. If your friends or family want to track your location it's time to reconsider your relationships with them in my opinion.

hachiya16y ago· 3 in thread

Yep. Confirmed. Command line example:

Take the Base64 string from this line in the headers:

X-Facebook: from zuckmail ([OTguMTgzLjI0Ny4yMTg=])

  $ ruby -rbase64 -e "puts Base64::decode64('NzQuMTI1Ljk1LjEwNA==')"
  74.125.95.104

bobbyi16y ago

That confirms that it's a IP address, not that it's his.

spc47616y ago

I did the same for two Facebook notifications, from different friends, and both tagged their city (Tuscaloosa, AL didn't surprise me, but Blountstown, FL? That's fairly targetted).

rm-rf16y ago

Or - that confirms that it's 32 bit number that when represented as a dotted quad appears to be an IP address.

dmn00116y ago· 2 in thread

Perl 1-liner: http://bit.ly/cNHkzQ Every other day I see facebook and privacy in the same sentence..

natrius16y ago

"Every other day I see facebook and privacy in the same sentence.."

That's because Facebook-bashing has become fashionable. There is absolutely nothing wrong with the behavior described in the article. It's how email is supposed to work. There is no way to accidentally include the IP address in an email header. They (presumably) do it on purpose.

jacquesm16y ago

Usually with a negative in the sentence somewhere.

u4899816y ago· 2 in thread

Seems Facebook users are born in 2009 or after wards. Every email service sends your IP address with the email. The exception is Google.

sounddust16y ago

1) Someone tagged me in a photo and it leaked their IP address.

2) Someone who is not even my friend commented on someone's status, and I got a notification because I made a comment before her. It leaked her IP address to me.

These situations are not comparable to e-mail, and I seriously doubt these people reasonably expected their IP address to be sent to me based on these actions.

jrockway16y ago

Every? My mail appears to originate from mail.jrock.us, my MX, regardless of whether or not its actually composed on that machine.

MikeCapone16y ago· 1 in thread

Does anyone know of a site that tracks all of these privacy problems (and potential problems) with Facebook? Following up and keeping track is the best way to keep FB accountable, and I'm sure a lot of media people would use such a site.

there16y ago

there might be a facebook group for it...

patio1116y ago· 1 in thread

I'm just... not concerned? Anything you do online leaks your IP address. If a friend embeds a photo from Flickr into their feed, and you load it, consider your IP leaked. etc, etc, etc

alanh16y ago

Leaked to Flickr, not to a Flickr user, unless I am missing something.

hugh316y ago· 1 in thread

but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication

Is this the best scenario they could come up with where this is a problem?

mcantelon16y ago

This might have been a reference to a similar scenario regarding a Google privacy leak:

http://bit.ly/bCrVll

devinj16y ago· 1 in thread

Why does this matter? I get others IPs and send my IP all the time (e.g. IRC). If I was worried about my IP, I would use something like tor when doing everything. But worrying about IPs seems... silly An IP is just so uninformative, unless somebody subpoenas my ISP or something.

rm-rf16y ago

"unless somebody subpoenas my ISP or something"

And in addition to your secure wireless SSID, you have an open SSID at your house that you maintain just for that reason, right?

Mine's named Free_Porn.

rdjOP16y ago

Not speculation. I just tried this with a few folks, and it works as advertised.

rdjOP16y ago

They changed it. The new header is:

X-Facebook: from zuckmail ([MTI3LjAuMC4x])

(127.0.0.1)

So I guess, nothing else to see here. Move along.

robryan16y ago

I'd be surprised if someone really wanted my IP they couldn't get it just by getting me to visit something off facebook.

jarin16y ago

Your computer may be broadcasting an IP address!!

stcredzero16y ago

"Leaks IP address" as a dramatic headline is an indicator that the poster is not-so savvy about networks and security. Seriously, this is the level of knowledge I observed in the typical high school student 3 years ago or so.

davidmurphy16y ago

I just did this on an email about a comment on my wall post by someone at a nonprofit. Sure enough, it came up with not just an IP, but a subdomain listing that nonprofit's domain name.

Yes, it works.

oomkiller16y ago

And so does every popular webmail provider. I remember learning about this when I was 12.

chronomex16y ago

This is not new at all.

Here's a segment of an email header from 2006:

  X-Facebook: from zuckmail ([128.208.54.23])
          by washington.facebook.com with HTTP (ZuckMail);
  Date: Sun, 10 Dec 2006 12:31:27 -0800

petercooper16y ago

It must suck for the one user who has had all their IP address's leaked.

jseifer16y ago

Your computer is broadcast an IP address!

j / k navigate · click thread line to collapse

52 comments

52 comments · 20 top-level

yaroslavvb16y ago· 12 in thread

For instance, Yahoo Mail puts my IP address in a line like this

Received: from [xxx.xxx.xxx.xxx]

nebula16y ago

IMO, Email systems originally have been designed that way to facilitate traceability. When webmail came, it's natural that they followed this practice.

danieldon16y ago

Edit: it doesn't show up base64 encoded, either.

mct16y ago

gmail reveals the sender's IP address only when sending mail via (authenticated) SMTP. The IP address is hidden when sending mail via the web interface.

yaroslavvb16y ago

I sent it using gmail's web interface. My IP address shows up in "X-Originating-IP" part of header

yellowbkpk16y ago

I don't see my IP in the headers of mail sent from GMail, either. I also tried sending via my phone and got the same results.

ohashi16y ago

Been trying to figure that out for ages... if there really is a way that would be huge.

rm-rf16y ago

Correct - Yahoo and others put the IP address of the client that sent the mail in the SMTP headers.

Example:

Received: from [x.x.x.x] by web113916.mail.gq1.yahoo.com via HTTP; Fri, 07 May 2010 18:59:00 PDT

In this test case, x.x.x.x is my current IP address, not Yahoo!'s. The HTTP indicates that I used a browser, not POP/IMAP.

They've been doing that for years. It's handy as heck when you need to track an e-mail - you don't have to bother Yahoo with a subpoena - you can go right to the client's ISP.

There is no reason Facebook shouldn't do the same thing.

Edit: Comcast does:

X-Originating-IP: [x.x.x.x]

Google is weird:

Received: by 10.216.27.139 with HTTP; Fri, 7 May 2010 19:34:21 -0700 (PDT)

I'm not on a 10.x address. Hmmm....

known16y ago

Headers of http://groups.google.com/ posts reveal IP address

LiveTheDream16y ago

I can see that Yahoo mail adds the originating IP address, but not Gmail.

brlewis16y ago

mikexstudios16y ago

I thought Gmail doesn't include the sender's IP address in their outgoing mail: http://mail.google.com/support/bin/answer.py?hl=en&answe....

alexyim16y ago

"IP addresses can be considered sensitive information. As such, Gmail may hide sender IP address information from outgoing mail headers in some circumstances."

They only said they may hide it.

wildmXranat16y ago· 5 in thread

Can someone write a GUI in Visual Basic to track these IPs please?

iamdave16y ago

I'm assuming you got downvoted because no one saw that episode of Criminal Minds. Heh.

jasonlbaptiste16y ago

will do after i finish my logowriter script

LEFT 90 UP 90

move turtle move!

jacquesm16y ago

It's turtles all the way left and up then ? I thought they only went down ;)

roach16y ago

That's an insult to Logo.

shrikant16y ago

Link for down-voters: http://www.youtube.com/watch?v=hkDD03yeLnU

harshpotatoes16y ago· 4 in thread

Note: I havent experimented with this yet.

Are we sure this is the ip address of the user and not just the ip address of one of facebook's servers?

If it is a user's address... is that a problem? This seems like very easy to obtain online information... for example, by sending an email to the person im trying to talk with via facebook...

rdjOP16y ago

harshpotatoes16y ago

Right. But you're all talking to each other. It seems to me this same info would still be available to everyone if you were emailing each other. I don't really see this one as a huge security risk...

natrius16y ago

Did you test the problem you described? If it works, this is the only potential flaw I see. Including IP addresses with messages still doesn't seem like a bad thing regardless.

jsz016y ago

hachiya16y ago· 3 in thread

Yep. Confirmed. Command line example:

Take the Base64 string from this line in the headers:

X-Facebook: from zuckmail ([OTguMTgzLjI0Ny4yMTg=])

  $ ruby -rbase64 -e "puts Base64::decode64('NzQuMTI1Ljk1LjEwNA==')"
  74.125.95.104

bobbyi16y ago

That confirms that it's a IP address, not that it's his.

spc47616y ago

I did the same for two Facebook notifications, from different friends, and both tagged their city (Tuscaloosa, AL didn't surprise me, but Blountstown, FL? That's fairly targetted).

rm-rf16y ago

Or - that confirms that it's 32 bit number that when represented as a dotted quad appears to be an IP address.

dmn00116y ago· 2 in thread

Perl 1-liner: http://bit.ly/cNHkzQ Every other day I see facebook and privacy in the same sentence..

natrius16y ago

"Every other day I see facebook and privacy in the same sentence.."

jacquesm16y ago

Usually with a negative in the sentence somewhere.

u4899816y ago· 2 in thread

Seems Facebook users are born in 2009 or after wards. Every email service sends your IP address with the email. The exception is Google.

sounddust16y ago

1) Someone tagged me in a photo and it leaked their IP address.

2) Someone who is not even my friend commented on someone's status, and I got a notification because I made a comment before her. It leaked her IP address to me.

These situations are not comparable to e-mail, and I seriously doubt these people reasonably expected their IP address to be sent to me based on these actions.

jrockway16y ago

Every? My mail appears to originate from mail.jrock.us, my MX, regardless of whether or not its actually composed on that machine.

MikeCapone16y ago· 1 in thread

there16y ago

there might be a facebook group for it...

patio1116y ago· 1 in thread

I'm just... not concerned? Anything you do online leaks your IP address. If a friend embeds a photo from Flickr into their feed, and you load it, consider your IP leaked. etc, etc, etc

alanh16y ago

Leaked to Flickr, not to a Flickr user, unless I am missing something.

hugh316y ago· 1 in thread

but not when a wife is trying to hide from an abusive husband and assumes Facebook is the best form of communication

Is this the best scenario they could come up with where this is a problem?

mcantelon16y ago

This might have been a reference to a similar scenario regarding a Google privacy leak:

http://bit.ly/bCrVll

devinj16y ago· 1 in thread

rm-rf16y ago

"unless somebody subpoenas my ISP or something"

And in addition to your secure wireless SSID, you have an open SSID at your house that you maintain just for that reason, right?

Mine's named Free_Porn.

rdjOP16y ago

Not speculation. I just tried this with a few folks, and it works as advertised.

rdjOP16y ago

They changed it. The new header is:

X-Facebook: from zuckmail ([MTI3LjAuMC4x])

(127.0.0.1)

So I guess, nothing else to see here. Move along.

robryan16y ago

I'd be surprised if someone really wanted my IP they couldn't get it just by getting me to visit something off facebook.

jarin16y ago

Your computer may be broadcasting an IP address!!

stcredzero16y ago

davidmurphy16y ago

I just did this on an email about a comment on my wall post by someone at a nonprofit. Sure enough, it came up with not just an IP, but a subdomain listing that nonprofit's domain name.

Yes, it works.

oomkiller16y ago

And so does every popular webmail provider. I remember learning about this when I was 12.

chronomex16y ago

This is not new at all.

Here's a segment of an email header from 2006:

  X-Facebook: from zuckmail ([128.208.54.23])
          by washington.facebook.com with HTTP (ZuckMail);
  Date: Sun, 10 Dec 2006 12:31:27 -0800

petercooper16y ago

It must suck for the one user who has had all their IP address's leaked.

jseifer16y ago

Your computer is broadcast an IP address!

j / k navigate · click thread line to collapse