AusCERT Facebook photo hack may be a test case

A demonstration at the AusCERT conference in which Facebook photos were taken from a user profile without authorisation and published may be a test case for Commonwealth and state computer crime laws, according to Queensland Police.

In a presentation at the BSidesAu conference held in tandem with AusCERT, an IT security expert siphoned personal photographs from a private Facebook account of the wife of another IT security professional.

Police also seized the journalist’s iPad.

Responding to questions by SC Magazine today, Detective Superintendent Brian Hay said that the incident could be considered a test case for computer crimes laws.

“We are investigating issues of that nature,” Hay said. “Some aspects of it can most certainly be a test case. It is fair to say that jurisdictions are coming to grips with cyber based investigations.”

The exploit presentation was designed to demonstrate a well-known vulnerability in Facebook in which URL addresses linking to photographs in a profile set to private were obtained in a brute force style attack.

While the attack did not crack usernames or passwords, it may have contravened Commonwealth and State computer crime laws which outlaw unauthorised access to electronic files, police said.

The Commonwealth Criminal Code Act states that “access to data held in a computer… by a person is unauthorised if the person is not entitled to cause that access, modification or impairment.”

Other laws also prevent use of a telecommunications carriage service to harass or menace.

The accessed photos may be considered a proceed of crime.

Speaking of the avenues of investigation, Hay said “other actions have been put in place”.

 “We may have people out there that think it is their right to do this. The reality is the online environment is an extension of the community.”

Copyright © SC Magazine, Australia