During the testing of an application we’ve set up in a non-published area we have noticed some unusual activity. The link for the app was sent via facebook chat and afterwards comes the interesting part:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
13.04.2015 22:05:01 2a03:2880:3010:3ff4:face:b00c:0:1 13.04.2015 22:05:02 2a03:2880:3010:3ff6:face:b00c:0:1 13.04.2015 22:05:02 2a03:2880:3010:3ff3:face:b00c:0:1 13.04.2015 22:05:03 2a03:2880:2020:8ff0:face:b00c:0:1 13.04.2015 22:05:03 2a03:2880:2020:8ff2:face:b00c:0:1 13.04.2015 22:05:24 2a03:2880:2020:8ff4:face:b00c:0:1 13.04.2015 22:05:29 2a03:2880:20:3ff1:face:b00c:0:1 13.04.2015 22:05:31 2a03:2880:20:5ff4:face:b00c:0:1 13.04.2015 22:05:32 2a03:2880:20:cff6:face:b00c:0:1 13.04.2015 22:07:58 2a03:2880:11:2ff9:face:b00c:0:8000 13.04.2015 22:07:58 2a03:2880:2130:7ff2:face:b00c:0:1 13.04.2015 22:08:05 2a03:2880:3010:3ff2:face:b00c:0:1 13.04.2015 22:08:06 2a03:2880:3010:3ff5:face:b00c:0:1 13.04.2015 22:08:06 2a03:2880:3010:3ff7:face:b00c:0:1 13.04.2015 22:08:07 2a03:2880:3010:7ff6:face:b00c:0:1 13.04.2015 22:08:42 2a03:2880:20:4ff2:face:b00c:0:1 |
Lots of IPv6 for a single facebook check.
We went a step further. Forced IPv4 and tracked logs for an URL that was freshly created and sent via facebook chat.
1 2 3 4 5 6 7 8 9 10 11 12 |
x.x.x.x - - [14/Apr/2015:04:07:05 +0200] "GET /_temp/cork.png HTTP/1.1" 200 626798 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" 31.13.97.116 - - [14/Apr/2015:04:07:41 +0200] "GET /_temp/cork.png HTTP/1.1" 206 524607 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" 31.13.97.115 - - [14/Apr/2015:04:07:42 +0200] "GET /_temp/cork.png HTTP/1.1" 206 9315 "http://domain.tld/_temp/cork.png" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" 31.13.97.118 - - [14/Apr/2015:04:07:43 +0200] "GET /_temp/cork.png HTTP/1.1" 206 9315 "http://domain.tld/_temp/cork.png" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" 173.252.122.119 - - [14/Apr/2015:04:07:44 +0200] "GET /_temp/cork.png HTTP/1.1" 200 626798 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" 173.252.122.120 - - [14/Apr/2015:04:07:46 +0200] "GET /_temp/cork.png HTTP/1.1" 206 626812 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" 173.252.105.116 - - [14/Apr/2015:04:07:48 +0200] "GET /_temp/cork.png HTTP/1.1" 200 626798 "-" "visionutils/0.2" x.x.x.x - - [14/Apr/2015:04:09:18 +0200] "GET /_temp/cork.png HTTP/1.1" 200 626798 "-" "Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; Xperia ion Build/IMM76L; CyanogenMod-9) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" 54.81.128.202 - - [14/Apr/2015:04:12:06 +0200] "GET /_temp/cork.png HTTP/1.1" 200 626798 "-" "Recorded Future" 66.212.143.116 - - [14/Apr/2015:04:16:01 +0200] "GET /_temp/cork.png%22 HTTP/1.1" 404 1286 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 66.212.143.116 - - [14/Apr/2015:04:16:02 +0200] "GET /_temp/cork.png%22 HTTP/1.1" 404 1230 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" 66.212.143.116 - - [14/Apr/2015:04:25:15 +0200] "GET /_temp/cork.png%22 HTTP/1.1" 404 1286 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" |
x.x.x.x were our IP addresses and after the facebook checking the link there was no activity for ~3 minutes. As it can bee seen from the logs next hit was with “Recorded Future” signature (here we’ll disregard two hits that were made from US/Illinois 16 minutes later even though it’s not anything related to our company or area)
Search for terms “facebook chat scan” gave us this result: http://mashable.com/2012/07/12/facebook-scanning-chats/, but in this case it’s a third party. Company unrelated to Facebook.
“Recorded Future is an American-Swedish startup backed by both Google Ventures and American intelligence agencies. ”
http://www.fastcolabs.com/3014444/does-world-history-repeat-one-cia-backed-startup-plans-to-find-out
They also claim:
1 |
...our patented Web Intelligence Engine continuously analyzes the open Web... |
Considering that they were crawling links that were not published anywhere else and only sent via FB chat “open Web” seems to be an understatement.
Also, the interesting part is that recent focus of “Recorded Future” are terrorist groups such as ISIS, cyber criminal organizations and any kind of “public” internet activity that’s related to possible threats.
Conclusion would be that the privacy on facebook does not exist and their lawyers covered it well with EULA and their privacy policy:
1 2 |
Promote safety and security. We use the information we have to help verify accounts and activity, and to promote safety and security on and off of our Services, such as by investigating suspicious activity or violations of our terms or policies. We work hard to protect your account using teams of engineers, automated systems, and advanced technology such as encryption and machine learning. We also offer easy-to-use security tools that add an extra layer of security to your account. For more information about promoting safety on Facebook, visit the Facebook Security Help Center. |