FriendFeed Images on Amazon S3 – Potential Exploits

It’s been a while, I know. Been busy, still alive, thanks for asking.

Here’s a little test I performed. About two months ago I deleted an entry which had an image attached to it. I noted the URL of the uploaded image (the location where FF stored it on Amazon S3 storage service).

I checked this URL a few hours later, the next day, next week and so on, assuming there’s some sort of garbage collection process that would delete this resource, but the image is still there at the time of writing. I have repeated this test more than once.

This raises a few concerns:

  1. Potential exploit #1 – someone who wants to save on their site’s bandwidth costs can store images on FF at no cost.
  2. Potential exploit #2 – storing files on Amazon S3 costs FF money (currently $0.15 a month per 1GB), so if someone wants to increase FF’s monthly bill they can just dump a lot of large photos there. Not to mention bandwidth costs (think Digg homepage kind of traffic).
  3. An entry you delete might not really be deleted – if FF doesn’t bother deleting these binary resources, one may assume the text is kept as well, which is a bit of a problem if you shared something by mistake and wouldn’t want it popping up in the future.

Of course this could all just be a bug and these images should have been deleted in the first place. I’m just speculating here.

2 thoughts on “FriendFeed Images on Amazon S3 – Potential Exploits

  1. Louis Gray

    When I was at the hospital following the birth of our twins, the hospital blocked all FTP access, but I was able to send images to FriendFeed, as you mention, using their Mail2FF feature, and having the images hosted by AWS. I later could make a blog post using those images. I didn’t see it as an exploit, but instead a work-around, although you are right.

    This was one post that continues to “borrow” FriendFeed’s disk space.
    http://www.louisgray.com/live/2008/06/is-your-web-getting-filtered-whats.html

Comments are closed.