How GCHQ exploited Facebook security weaknesses

Data Ben Sullivan

10:21, May 14 2014


UK spies used Akamai content delivery network to extract user data.

Documents from ex-NSA contractor Edward Snowden have revealed that the UK's GCHQ obtained private user data from Facebook by exploiting a security gap.

Slides proporting to be from a GCHQ Powerpoint presentation titled "Exploiting Facebook traffic in the passive environment to obtain specific information" tell how social networks such as Facebook are "a very rich source of information on targets" for the government agency.

According to the documents GCHQ then goes on to describe how many profiles aren't public, "but passive [exploitation] offers the opportunity to collect this information by exploiting inherent weaknesses in Facebook's security model."

"Targets [are] increasing usage of Facebook, BEBO, Myspace etc," say the slides.

They also point out that social networks are "a very rich source of information on targets," including personal details, pattern of life, connections to associates, and media.

Facebook users' photos worked with content delivery network Akamai, which was the opening GCHQ used to obtain users IDs and photos.

"It is possible to dissect the CDN (Content Delivery Network) URLs generated by Facebook in order to extract the Facebook user ID of the user whose picture the file pertains to," reads one of the slides.

At the time of publishing, CBR has not yet received a comment from Facebook.


The slides feature in Glenn Greenwald's new book No Place To Hide.


Update - Facebook got in touch with CBR and a spokesperson said:

"We don't have any evidence of these allegations. The slides are dated several years ago, during which time our security technology improved in many important ways. We continue to believe that governments should be more transparent about the requests they make of companies like Facebook, and that they should use established legal channels."



get a cbr Cyber Security weekly update

Terms & Conditions & Privacy Policy.


Post a comment

Comments may be moderated for spam, obscenities or defamation.