Privacy Police

New Website, ‘Rank NYU’, Rates Coeds, Reveals Private Facebook Pictures

screen shot 2011 10 03 at 10 19 55 am New Website, Rank NYU, Rates Coeds, Reveals Private Facebook Pictures

The Hex Bandits Handywork

Do you remember that part at the beginning of The Social Network where a young and naïve Mark Zuckerberg created Facemash, a site where Harvard kids could choose between two different female students based on who was hotter? Well someone finally figured out how to replicate the hack with our own universities.

Over the summer, some hackers called the Hex Bandits created Rank NYU. Visitors can choose between two female NYU students, effectively ranking them. The Bandits told Betabeat that critics could use a sense of humor.

“We knew this site would piss some people off, but we don’t have any bad intentions,” they said. “Believe it or not we actually went through a lot of effort to make it as nice as possible.”

The hackers aren’t affiliated with the university, but said that they go to another university in the city. They explained they got the idea from The Social Network. A friend told the Bandits a replica site required only basic programming knowledge and the Bandits said the coding was simple—kind of.

“It should have been,” the Bandits said. “None of us have a background in programming, at most one of us took a web design course in high school. We learned everything we needed to know to build the site from open source material on the web.”

The Hex Bandits said in the post the pictures came from girls’ Facebook public profile pictures.

One of the girls on the site, Becca, an NYU junior, said having her profile picture on the site felt like an invasion of privacy. “I clearly didn’t allow it to be posted,” she said. “There is no warning on Facebook for posting pictures that the can be used in an app type format.”

However, the Bandits told Betabeat they didn’t have a complicated system for obtaining pictures.

“Ninety percent of the time it took to build the site was getting those damn pictures,” they said. After creating a Rank NYU Facebook account that they said went to NYU, the Bandits searched NYU graduation class groups and manually downloaded pictures best showing female students’ faces from public profiles.

“Looking through thousands of peoples’ pictures, you would not believe the things we saw,” they said. “Seriously, some people really need to think about changing their privacy settings. We saw everything from topless photos to someone blowing coke off a mirror.”

While Facebook has not responded to Betabeat’s inquiry about the Bandits utilizing user profile pictures for Rank NYU, the Bandits noted some flaws in Facebook security.

“Originally, we just linked to pictures directly on Facebook. Yes, that is a huge flaw in their security. Even if someone’s picture is set to private, if we link directly to the .jpg file, anyone can see it,” they said.

The Bandits noted that the site has been a target of some hacking attempts.

“You may have noticed the #1 girl on the rankings page had a disproportional amount of matches,” they said. “Someone figured out how to send in fake wins. It’s not hard to do, we just never thought anyone would do it. We’re working on fixing this.”

The Hex Bandits explained that someone also tried to permanently delete the site, using an SQL Injection in the comments section.

“They tried to insert code that would be sent to the database and cause it to delete itself. They failed,” the Bandits said.

The Bandits don’t see any real future for Rank NYU, except maybe some additional upgrades.

“We’re playing around with the idea of a Kill, Fuck, Marry mode, page themes, slider bars to rank girls in categories, and a few others,” they said. “Only time will tell.”