| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Apr 2014 21:01:03 +0200 From: Andreas Lindh <addelindh@...il.com> To: Willie Gillespie <wgillespie+fulldisclosure@...eng.com> Cc: fulldisclosure <fulldisclosure@...lists.org>, Philip Whitehouse <philip@...uk.com> Subject: Re: [FD] Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Hey guys, Please don't turn this into a "Google/YouTube arbitrary file upload" thread, ok? :) kthxbye Andreas 2014-04-01 20:48 GMT+02:00 Willie Gillespie < wgillespie+fulldisclosure@...eng.com>: > You are both right. > > * You can get the full resolution copy of the profile picture by modifying > the URL in various ways. > > * You can easily get the URL of any user's profile picture if you know > their profile URL or user id. > > * But all this is because Facebook considers the photo "public > information" and does not try to restrict it. [1] > > [1] https://www.facebook.com/help/193629617349922 > > On 04/01/2014 08:49 AM, Philip Whitehouse wrote: > >> Again they need the URL. >> >> If you have a way to determine the URL of a specific user's profile image >> from public info that would be a vulnerability. >> >> Simply the ability for a user or allowed visitor to copy the URL is not. >> >> You can determine who can see the URL in your Facebook privacy settings. >> >> Philip Whitehouse >> >> ----- Reply message ----- >> From: "Bipin Gautam" <bipin.gautam@...il.com> >> To: "Philip Whitehouse" <philip@...uk.com> >> Cc: "fulldisclosure" <fulldisclosure@...lists.org> >> Subject: Access anyone's Facebook "profile picture" in full resolution >> regardless of the ACL restriction >> Date: Tue, Apr 1, 2014 15:19 >> >> Hi, >> >> the POC is about "anyone being able to access anyone's facebook >> profile picture in full resolution" + regardless of the ACL set to >> their facebook profile picture (say; even when your profile picture >> permission of your facebook is set as... viewable to "only me" or >> "friends" ) ...anyone can see your full resolution profile picture >> even without logging on to facebook with the following method! >> >> (Assumption: maybe if you (your ISP?) are using CDN and someone in >> your ISP / region have already viewed the profile picture and as it is >> already fetched locally / cached in local CDN so, other party can >> access it? Does CND have IP restriction for a region / ISP ? ) >> >> Try... it works for me, Make sense ? >> >> >> On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote: >> >>> This is not a vulnerability. >>> >>> The image path is not predictable. Sharing the URL is by itself giving >>> permission for the other party to see it. >>> >>> Even if it were possible to restrict access it could be circumvented by >>> downloading it and emailing the file instead of the URL >>> >>> >>> Philip Whitehouse >>> >>> ----- Reply message ----- >>> From: "Bipin Gautam" <bipin.gautam@...il.com> >>> To: "fulldisclosure" <fulldisclosure@...lists.org> >>> Subject: Access anyone's Facebook "profile picture" in full resolution >>> regardless of the ACL restriction >>> Date: Tue, Apr 1, 2014 10:59 >>> >>> Hi List, >>> >>> I felt like writing / pointing this minor issue, as it as its "Facebook" >>> ... >>> >>> This issue is due to the way facebook pictures are stored in CDN >>> without authentication mechanism, during accessing it. (which would be >>> way technically complicated to implement it) >>> >>> Also, it is a Facebook feature that... if you have full path of an >>> image, you can pass it to anyone over the internet which they can >>> access it directly (and the facebook user should not have unrealistic >>> expectation to privacy. Hence, if someone can access an image they can >>> save/email it to others, anyway.) >>> >>> >>> POC: >>> >>> ( Please TEST it in a real profile, real world example and it should >>> work. I obviously changed the URL, POC below, to gibberish >>> "6549_16544614736_444444875_n.jpg" ) >>> >>> STEPS: >>> >>> You could try this by : >>> >>> - changing your own facebook profile picture viewable to "only me", >>> then bookmark your own Facebook profile and logout and clear cache. >>> >>> - or then try different browser with your own profile from bookmark, >>> without logging in to facebook! >>> >>> - or pass your FB profile to a friend, with the following instruction. >>> >>> ___ >>> >>> - then, in your browser, "Right click the Facebook profile image" that >>> you want to access in full resolution (that have ACL as access to >>> "only me" or "friends" ) > click "Copy image location" > paste it in >>> notepad >>> >>> sample url you will get (this link below is broken) >>> >>> :[1] >>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/ >>> t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg >>> >>> >>> to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, >>> the url structure may be different, you just have to find and remove >>> this middle part...) >>> >>> final modified url from above, which you can access the profile >>> picture in full resolution via your browser : >>> >>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/ >>> t1.0-1/6549_16544614736_444444875_n.jpg >>> >>> >>> Respectfully, >>> -bipin >>> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> >> > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists