is a interesting, and very commonly misundestood, concept in IT. Lots of security flaws online can have its origins on this misunderstanding, hence the relevance of clearly all this. This topic is relevant for both security and programming perspectives.Privacy for humans is, (most of the time) simple. When we tell someone "this is private", the person understands "do not show to anybody"
, but privacy is a human concept, not a machine concept.Privacy for machines means the same but is applied differently. When we indicate "this is private", the machine understands "do not show to other humans"
. This is why is important to test the privacy settings when putting something online: just because something says "private", doesn't mean it actually is... How can this misconception originate flaws?
When a website is designed, the designer makes a "privacy setup" menu and adds the option to make something private. He/She can also request for authentication, such as a valid login, or ask for payment (for reading/viewing intellectual property or avoid piracy). The problem is when this "privacy" is not fully tested or even understood from the machines' "point of view". This allows people to trick the website. If "private" means it can't be shared with humans, any humans trying to access the file will be prompted for authentication or blocked. But what about if a machine asks another machine? How are this flaws exploited?
This doesn't happen on all websites, but happens on some. Some websites may block one of this flaws but allow another... Hackers can use this "misconception" to trick several websites, bypassing some of this mechanisms, by using machines to ask other machines. Here are some examples of it:
- A good example of this is asking Google to ask some specific file. Since the hacker can't access the website and normally getting the file, He/She can ask Google, using the "filetype:" operator, if Google can get the file. On some websites, since its a machine asking another machine, it is allowed.
- Another example is when we want to see a picture on a social network website. If we "left-click" the thumbnail, it demands us to get an account or login, (forcing us to accept the terms of service and privacy to view it), but if we "right-click" and select "open in new tab", since its the browser asking, instead of manually operated buttons (AKA=Human), it simply loads the picture.
- Another good example is using Google cache to view a detailed profile on social networks (like on the previous examples, we couldn't view it without an account), or a topic on a fórum, that since it is "for members only", requires a valid login.
- Another example is using some program to change our "user agent" to something like "Google Bot", to allow us to view content of websites without being asked for payment or authentication, tricking the privacy setup of the website.
All this examples exist and are fairly common. I've tested and found all of them, sometimes with little harm, and sometimes exposing sensitive private information. "Private" only makes a filter, but there are many ways to bypass that filter if properly misconfigured.Google isn't the only machine we can try to "trick into asking" another machine. The search engines can only index what they are allowed (in the robots.txt configuration), and sometimes, they aren't allowed to view content. When that happens, hackers try other methods like "open in new tab" to avoid manually operated buttons, or URL hacking (changing the URL directly to navigate directories on websites). All that and more can be used, all based on the flaws of the concept of "privacy". Please note: I use the term "hacker" but not with negative meaning. "Hacker" here is used as someone who tries to bend the privacy rules, independent of intention.