Thoughts the FetLife “Hack”
TL;DR: Your FetLife account might be more exposed than you expected. Don’t Panic. It’s not that bad, and you can still protect yourself.
(I originally posted this as a FetLife writing. A user asked me to post it outside of FetLife so it could be publicized further… so I’m reposting it here. Share and enjoy!)
In my vanilla life, I’m a professional software developer. I’ve been building web applications (ie: web sites that do stuff) for… checks calendar… ugh, 13 years already? Sigh.
Today John Baku posted this announcement about a tool that would let any Internet user browse FetLife without an account. Not surprisingly this scared a bunch of people.
Currently, at the top of K&P is this post entitled “The outrage of the day (View Fetlife without an account).” It links to a tweet that links to the source code for this tool. (The “source code” is the stuff that makes the program run. If you have that and the right technical knowledge, you can run the tool yourself; you don’t need on someone else’s website to run it for you.)
Currently, you can find this source code here.
Don’t get freaked out because I linked to it here. Linking to it doesn’t do any more harm than has already been done. In fact, it really helps the situation. The more people that can analyze this, the better. In computer engineering, we have a catchphrase: “security through obscurity is an illusion.” The jist is that you shouldn’t ever be relying on “nobody will know/care enough to hack our site.” Real security requires active & intentional work.
Fortunately, this “hack” doesn’t exploit any security flaw in FetLife. As far as we know, the people behind FetLife have done their jobs correctly.
This browse-without-an-account tool is what’s known as a “proxy”. What it does is take a sock-puppet FetLife account, log in with it, and then browse normally, feeding the web pages back to the account-less user. It’s actually very simple and unsophisticated — but effective.
Here’s the deal though: this is no different than a real person creating their own account and browsing like any other user. That user could be malicious, using their own fresh sock-puppet account. Or, it could be that cute new person you met at the munch last night. As far as FetLife can ever tell, there is no difference between any of these users.
And that’s the bad news. Ultimately, there’s no way to prevent this kind of attack without destroying the things that make FetLife work in the first place. That is: you need to be able to find & connect with new people.
All social networks operate on this same principle. The difference with FetLife is that they’re actually better than most at protecting your privacy. As far as we know (we’re taking them at their word here), they’re not explicitly selling your data to anyone behind the scenes. (Gives Facebook a dirty look.) It’s just you and your fellow FetLifers out there.
Yes, FetLife could change their own website source code to break this particular tool. In my opinion, they shouldn’t bother. Doing that just becomes an arms race with the kind of people who write this sort of tool… and, by the nature of how websites work, they will lose that arms race. It’s unavoidable.
Yes, FetLife could try to block the person responsible for writing the tool, the sock-puppet accounts used by the tool, and the computers that the tool uses to access the site. This is probably not worth the effort. More programmers, accounts, and computers will simply pop up to take their place.
Yes, FetLife could try to take legal action against the writer of these tools. I’m not a lawyer, but my guess is that they certainly will not win any real victory. It’s far too easy to go underground and dodge legal jurisdictions. I’m not even sure that any laws have actually been broken. (I believe you could make a decent legal argument that it’s not unlawful to do this.) John mentioned filing DMCA takedown notices; I don’t see any copyrights being infringed, so I doubt this will get very far. Even if you could pursue the matter in court, the legal costs would be prohibitively hight for FetLife.
The only thing that FetLife can (and IMO should) do is something that they’ve already done (to an extent): lock down your information so that only your friends can see it. Then, when the inevitable sock-puppet account/malicious user comes a-knocking, they won’t see anything of importance on your account.
Now for the Good News: FetLife already allows this for pictures, videos, and writings. These are the important ones. I suppose they could expand that to profile details (age, location, friends lists, etc), but this comes at a cost of usability. Every time you make something friends-only, you (slightly) weaken the social network that is the point of FetLife. (Consider how cautious you are if someone without a face pic sends you a message.)
Personally, I’ve decided to leave my pics & writings public, including my face pics. I think that the benefits of having not-yet-friends access my stuff outweighs the risks of having someone who is out to harm me see it. I might be wrong in my assessment. I won’t know until it bites me in the ass. Hopefully, that never happens.
You can make your own call. Go and make your sensitive pics and writing friends-only. Take everything that is sensitive out of your profile and put it in a friends-only Note. Take a walk down your friends list and drop anyone you don’t completely trust. Accept that your profile will be a little less welcoming, and take comfort in the fact that you’re being proactive about your privacy.
Got questions? Need advice? Want to tell me I’m wrong? Feel free, either in comments or private messages. Knowledge is power!
Edits & Updates
On Google Indexing
@optical_illusion makes a very good point: running a proxy that bypasses traditional login makes it possible for Google to spider/index the user pages, potentially opening up a vulnerability to search.
FetLife, for its part, is already doing what it can to prevent that. They include a file on the website (called robots.txt) which tells Google (and other search engines) to *not* allow search for the main pages (including the user profile pages). This makes sense, as since they’re normally protected by a login, Google shouldn’t be able to access the pages anyway. The proxy will also proxy this file, and so Google will (probably) not search the proxy either.
This isn’t foolproof. A proxy server could potentially modify the robots.txt file to allow searching & indexing. This one doesn’t do this, but the next version could.
As other commenters have mentioned, you pretty much have to expect that any information you put on your FetLife page could potentially leak outside of FetLife into the public. There’s too many ways to do this (both automatically and manually, maliciously or by accident) to assume real privacy. If it’s going to harm you to have it out there, don’t put it up here.
Yup, FetLife did get Googled
I searched on Google for “FetLife WryGuy“. There’s a lot there that’s expected for me personally (ex: my Twitter page), but lower down on the first page you’ll find this link:
The proxy has been taken down, so that link is dead now. However, Google saved a cached a copy of the page, which in turn is now publicly accessible & searchable.
And that sucks.
Note that this particular page wasn’t covered by the robots.txt exclusion I described above. My recommendation to FetLife is to disallow searching for all pages on FetLife (with the possible explicit exception of the not-logged-in page).