Facebook notifications leak IP addresses

Note: Please see update at the end of this story.

Is everyone tired of hearing about Facebook yet? I am starting to think so, but every time I turn around they have another issue with information leakage. Unlike some of the privacy issues, this one does not appear to be by design, but clearly Facebook is aware it’s a problem because they tried to hide it.

Most people would agree at this point that we should not expect Facebook to protect our privacy, but with hundreds of millions of users impacted by their decisions, it’s important to publicize these issues in the hopes that they will address them.

At InfoSec Europe last week, an attendee named Tayo approached me after my presentation and asked if I was aware that Facebook was including people’s IP addresses in all of their notification emails. I was pretty shocked, and he referred me to some research that had been done by Phil Bramwell.

I began by looking at some Facebook emails from 2008 to see if the issue was occurring then. As you can see, at the time Facebook included the IP of the person initiating the communication in plain text.
2008 Facebook email header

I grabbed a more recent message, one from 2009, and the address was obfuscated, but still in the same place in the message header. The IP of the requesting individual was encoded in Base64, which is trivial to reverse using a simple Google search.
New Facebook message header

What types of messages include this information? It appears from my testing that it’s included in all messages generated by “Zuckmail,” Facebook’s email generation application. The IP of the initiating party is encoded and delivered in the email you receive. This includes notifications of being tagged in a photo, private messages, friend requests, even account deletion requests.

Granted, Facebook may need to log interactions with their systems for legal reasons, but there is no conceivable reason to send this data out to anyone and everyone. Your IP address may indicate your location (even locally, I was able to tell whether people were posting from work, home, or their phone), and could also allow malicious individuals to initiate a denial of service attack against your PC/router/firewall.

As with PleaseRobMe.com, it would be easy for people to determine from your IP address that you are trapped away from home in a European ash cloud, or that you are lying about your activities and location. Using online services and social media for communications carries with it the same risks as sending emails. It is certainly no more private; in fact it most likely is less so.

Hopefully Facebook is listening to all of the commentary related to their users’ concerns over privacy, and will make changes to their messaging system. They are clearly aware that including the IP is a bad idea, considering their move to begin hiding it, albeit trivially. Facebook, please remove my IP from your messages altogether. If I want someone to know where I am and how I connect, I’ll tweet it.

Update: Excellent news. Facebook has changed the “Zuckmail” headers to only include localhost ( Base64 encoded in current message headers. Some people pointed out that your IP is exposed in other ways on the Internet, while true many people believed Facebook to be safer than email for sensitive communications because it went through a third party. Facebook’s change restores some of that anonymity. Thank you Facebook.

For the curious, if your headers now read “X-Facebook: from zuckmail ([MTI3LjAuMC4x])” then you are fine. MTI3LjAuMC4x decodes to a generic address for your own PC: