Yet another Facebook privacy risk: emails Facebook sends leak user IP address (UPDATED)


50 Responses to “Yet another Facebook privacy risk: emails Facebook sends leak user IP address (UPDATED)”

  1. Anonymous says:

    Anyone else get the irony that an article about privacy asks you to enter your IP address into a random website that gives ABSOLUTELY NO PRIVACY POLICY WHATSOEVER?

  2. Anonymous says:

    the new “Share” button at the bottom of each facebook page, which for instance, when you’re looking at a friends photo album, allows you to share a particular image with one of your own friends, no matter what the owner’s album privacy is set to.

    please write about this. thank you.

  3. Anonymous says:

    Something else to mention about FB privacy. If you have a Yahoo account, you can go under your contacts, click “New! Import email addresses from your Facebook friends to Yahoo! Contacts.”
    And all the email addresses linked to your all of your friends instantly pop into your contacts.
    So don’t friend anyone you don’t know like those spammer accounts, and don’t bother hiding your email on FB.

  4. phoomp says:

    How is this any different from any other email application?

  5. kaffeen says:

    I admire that BB is continuing to shine the light on Facebook privacy issues.

    This type of encoding is not unique to Facebook (as many sysadmins can attest), however, there is a huge difference between having this type of encoding (which is easily decoded) on private email (which only goes to where you want it) and to have this type of encoding on unknowingly public events/activities/communications (which goes everywhere you don’t want it to go). The difference is quite distinctive and is a huge violation of privacy in many different ways (and if this in and of itself does not make everyone a victim, it certainly will eventually lead to many being a victim of nefarious intent).

    If you haven’t deleted your profile yet, all I have to say is….”under the spreading chestnut tree I sold you and you sold me”.

  6. bcsizemo says:

    Yeah I guess I don’t see what is f’d about this…

    One of the few scenarios would be not wanting to be found. But frankly if you are using facebook and the law gets involved they could probably force facebook to give them your last ip regardless if it’s being sent out in messages or not.

    I know where my friends live, they know where I live. I’m not a friend whore, I don’t have 87 zillion friends. I don’t publish my address or phone number.

    BUT, if you were my friend, knew what city I lived in, THEN you could find the county, and look my exact address via the tax/deed office online. OH THE TRAVESTY…

    Or you could be walking down the street and walk up to my house and knock of my door, what to do then?!

    Like a couple people have said if someone is going to find you, and you make any presence known, then they will.

    Don’t want to be found, go live off the grid (and that means no phone, no internet access, or perhaps the occasional coffee shop.)

    (BTW Thunderbird version 2, shows my internal/external ips and the receiving ip on almost all emails I have, that aren’t auto generated ie facebook)

  7. Anonymous says:

    We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we’ve discontinued it. Thank you for bringing this to our attention.


    Barry Schnitt
    Director, Policy Communications
    [phone # redacted]

    • Cowicide says:

      Why should we believe what you say, Barry?


      SitePoint: Many people are concerned about Facebook selling their information. Can you as a spokesman for the company categorically deny this might happen?

      Schnitt: We will not sell user data. Any assertion to the contrary is false.



      Senators’ letter to Facebook

  8. Razzabeth says:

    Well, even with the extra instruction on how to view the header, I was still unable to make this trick work. Therefore, I am unimpressed, and unbelieving that the average person could find my exact location from Facebook. If a hacker could do it, well, hackers have always been able to do things like that.

  9. fritz from london says:

    Facebook? Getting their shit together? They are too busy using your personal data to make money

  10. millrick says:

    I nominate Boing Boing to be the creators of a new social media site that actually protects privacy (while participating in the Creative Commons, of course).

    how hard could it be?

  11. Jack says:

    Hmmm. I am not too sure I understand why this is upsetting now? I just did a search for tech support e-mails received from Facebook by me as far back as September 2008, and I see the same “X-Facebook:” header with the IP not Base-64 encoded.

    ‘X-Facebook: from zuckmail ([]) by with HTTP (ZuckMail);’

    Also, as others have pointed out sending a user IP address with e-mails is nothing new.

    Personally, I find the tact of Apple encoding geolocation info into iPhone photos is far more disturbing. Open up any image with such tags in “Preview” in Mac OS X, go get image info, poke around and you are one click away from launching Google Maps and seeing the exact location the image was taken.

  12. Anonymous says:

    What. The. Fuck. I mean, seriously, what the fuck is facebook doing? There is seriously NO way to stop my IP address leaking to all my friends (and probably their friends)? Admittedly, my IP address is at my school, so it doesn’t tell anyone anything interesting they couldn’t see on my public page. But still,

  13. johnnyaction says:

    Confirmed and wow. This is such huge epic fail. I can see storing ipaddresses keyed against sessionid’s in a facebook side database but to release this info to the world is such pure evil suck.

    • DoppelFrog says:

      @johnnyaction I couldn’t get it work; just gave me ‘Invalid email header’. I tried all of the headers and just the X-Facebook… line

      Any ideas?

  14. Anonymous says:

    It appears that the actual IP address is merely the local loop IP, not the IP address of the individual who motivates an email.

    It’s not a legitimate privacy hole. Either FB plugged it else it was hype designed to sell people in to visiting the web site that made the claim.

  15. Lucifer says:

    The founder of Facebook has always been a scumbag. He stole the idea off his college roommate. What do you expect? Users of facebook are just fodder to monetize. Read the fine print – the Terms of Use on facebook guarantee you nothing. You deserve what you get if you make the conscious choice to join into an agreement to use their service. Caveat emptor. it’s like making a deal w/ the devil really.

  16. mlc says:

    Also, if you’re the type of person who thinks it easier than pasting into a random webpage, you can extract the IP address of the person who caused the email by just base64-decoding the string inside the square brackets in the X-Facebook header.

  17. Alex3917 says:

    Facebook used to show the last IP address each person used to log in right on their profile page. So is it even clear that this isn’t a feature?

  18. Anonymous says:

    Ok, this is massively, massively overblown.

    Do you use outlook? Thunderbird? Hotmail? Yahoo? ALL of those put the IP address of the sending computer in the headers. It’s an anti-spam measure more than anything. As an administrator who has to deal with tons of inbound spam, I am actually glad to see FB doing this, even if they’re obfuscating the IP address.

    Honestly folks, this is par for the course. It is in no way a huge scandal that facebook does this.

    • Zhiva says:

      You know, I just went and checked sources of my messages composed in Thunderbird. Guess what? There are no IP addresses in headers.

      • userw014 says:

        On Thunderbird for the Mac, version 3.0.1, I used [View] -> [Message Source] (or -U) to view the complete source. (The [View] -> [Headers] -> [All] doesn’t show all e-mail headers – you want to see the non-standard X-headers.)

        On Apple Mail, version 3.6, --H shows the headers.

        I don’t use web-based mail user agents if I can avoid it.

      • Anonymous says:

        Zhiva, you’re probably looking in the “sent” folder. Try sending a message to yourself, and looking at the sources when it arrives in your inbox. Then you’ll probably see a series of “Received:” headers, the earliest of which contains your current IP address.

  19. Anonymous says:

    Most people on facebook don’t want privacy, in my experience. People who post things such as “I’m on the toilet” probably aren’t too worried about people knowing their IP address. I’m not a facebooker myself.

    • MrJM says:

      Anon#11: ‘Most people on facebook don’t want privacy, in my experience. People who post things such as “I’m on the toilet” probably aren’t too worried about people knowing their IP address.’

      Perhaps “most people,” in your experience, post “I’m on the toilet,” but I believe your experience with “most people” is far from universal.

  20. Anonymous says:

    does it mean you cannot locate who send you inbox message on fb?

  21. straponego says:

    It has been abundantly clear for years that Facebook is run by dishonest, incompetent scumbags hostile to the very concepts of privacy and individuality. Anybody who is surprised by this today… sorry, you bear most of the responsibility. Lie down with the dogs and all that.

    That said, I bear no grudge against people who know exactly how FB will try to screw you, and are still willing to hive up. Except that you drag others down with you, but I guess that’s next year’s surprise. Within a couple of years, stalking/paparazzi/surveillance will be crowdsourced. Combining GPS and cell phone cameras will make it simple: Hey, I’ll give you a $$ to take some pictures/video of that woman at the next table [pic attached]. Turn your mic on, too…

  22. Szwagier says:

    I’ve tried this with several, but it’s only giving me I’m apparently sending these things to myself.


      Ditto, but when I decoded the IP of an email announcing a friend’s comment on my status I found the city he lives in. Decoding my own address (town of 2000 people) gets the suburb 2 miles away. If you really wanted to find someone, narrowing it down to a few miles out of the entire planet would be sufficient. Undoubtedly more thorough methods would pinpoint the location more exactly.
      I doubt there’s anything that most people would go to the trouble to do about this, but it’s good to know that this exposure/risk is there for those with a motivation to remain anonymous.

  23. Razzabeth says:

    I tried to do it too, and I also couldn’t get it to work. I don’t see what you did there.

  24. s5 says:

    Checked your email headers lately? End user ip addresses have been sent out in email headers for literally decades.

  25. Anonymous says:

    Well, I’m glad they’ve fixed this, but saying it was for SPAM filter reasons makes no sense!

  26. Anonymous says:

    For everyone saying “wtf email headers have always contained your IP”, there’s a distinct difference between actually sending someone an email you wrote, and updating your status or friending someone (etc etc) on fb. These actions generate emails that you yourself do not write, and may not be aware are being sent out. It’s like the difference between sending someone a letter, and going to the bathroom. When you send someone a letter it’s pretty obvious to you that your return address is on the envelope, whereas if you’re doing something trivial within your house, you don’t automatically think “Oh hey, by eating this muffin I’m broadcasting my location to the entire fucking internet”

  27. Rider says:

    Facebook is not private get over it.

  28. mindkracked says:

    Time for a little subversion? maybe this will get some notice?!/group.php?gid=108860149157301/

  29. userw014 says:

    If you prefer to snoop on the base64 encoded “Zuck” line without being snooped upon (by the website that converts that text into handy information – and logs your IP address, browser, etc.), you can try one of the following (using the Z-Facebook: Zuck line in the article):

    From a Mac (or other machine with “perl” and “MIME::Base64″ installed):

    perl -e ‘use MIME::Base64; my $str=decode_base64(“MTAuMzAuNDcuMjAw”); printf “%s\n”, $str;’

    From a FreeBSD box:

    (echo MTAuMzAuNDcuMjAw | b64decode -r; echo ” -END”)

    On a Linux box with “base64″

    (echo MTAuMzAuNDcuMjAw | base64 -d ; echo ” -END”)

    Once you have the IP address, you can use “whois”, “dig”, and “traceroute” to poke around.

    Sorry – I don’t do Windows, and I’d be surprised if any form of a conventional Windows install would have anything to help you with the base64 decoding.

    • EH says:

      Sorry – I don’t do Windows, and I’d be surprised if any form of a conventional Windows install would have anything to help you with the base64 decoding.

      S’OK. It won’t assuage your bitterness but a Windows machine can run Perl+MIME::Base64 just like OSX can.

  30. jacques45 says:

    Hrm, I wonder if this has been fixed. Tried it out with a friend of mine and all we get is MTI3LjAuMC4x, which is However, going back a few days I can certainly see IP addresses.

  31. johnnyaction says:

    Different way of decoding the zuckmail text is the following..

    Of this: X-Facebook: from zuckmail ([MTAuMzAuNDcuMjAw])
    you can take this: MTAuMzAuNDcuMjAw

    enter it here and get the ip address:

  32. rtresco says:

    You’re really indignant about people learning your location? I hope you are also going to your porch and prying off those pesky numbers that are your mailing address. You know, the physical location everyone can find you at, without the help of technology.

    • userw014 says:

      @rtresco : How does prying the numbers off your house help? That only protects you (briefly) from people who would have been able to see the numbers from the street – and most people could probably work out what the number would be anyway by comparing the numbers of nearby houses.

      • rtresco says:

        It’s about hiding out in the open. Like “privacy” and “social networks”. No one will find me without the numbers.

  33. Anonymous says:

    I have recently been bullied from gmail and facebook and unfortunately I did not know about it. This would help to find the person that did it.

    if you cannot do it by yourself others don’t care at all.

    so I believe it was a good thing to get this info.

  34. Anonymous says:

    I turned off all email notifications but I still get:

    XXX XXXXX commented on your link… from Facebook
    reply-to noreply
    date Mon, Dec 28, 2009 at 5:22 PM
    subject XXXX XXXX commented on your link…
    mailed-by XXX.XXXX.XXXX

    I don’t see anything similar to an IP address though.

  35. technogeek says:

    If it’s on Facebook, it’s public. Period.

  36. Razzabeth says:

    Sorry, guys. Can someone please post a step-by-step, so simple a cat could do it, explanation of how exactly you guys are doing this? The instructions are too vague and I can’t get it to work. Assume I’m a complete newb and explain, please. Header? What’s a header? Where is that?

    • proletariat says:

      Sorry, guys. Can someone please post a step-by-step, so simple a cat could do it, explanation of how exactly you guys are doing this? The instructions are too vague and I can’t get it to work. Assume I’m a complete newb and explain, please. Header? What’s a header? Where is that?

      Here is a guide showing how to view the entire email messages, including headers, in various email clients. Using the message source, you should be able to follow the instructions in Xeni’s post. Then kitty can has sender’s IP.

Leave a Reply