Emails from Facebook contained IP addresses
Facebook can be configured to send emails informing users of events such as when a friend comments on the user's status or sends a message. One of the headers in the email can be used to work out the friend's IP address. The header looks like this:
X-Facebook: from zuckmail ([ODAuMTcxLjM2LjY0])
by www.facebook.com with HTTP (ZuckMail);
The string in the square brackets is a Base64 encoded IP address, apparently from the Facebook user who sent the message. Services such as MyIPTest.com's e-mail tracer can be used to convert it back into an IP address and obtain further information.
Not that an IP address is such a big deal, but, in Germany, it can, in some cases, be traced back to a particular person. There is no obvious reason why an IP address should be included in this type of message.
Facebook has now apparently recognised and resolved the problem. The H's associates at heise Security carried out multiple tests on Saturday afternoon, all of which simply returned the IP address 127.0.0.1 (localhost). Older emails for status updates contained plausible IP addresses.
- Facebook closes serious security hole, a report from The H.