| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Apr 2014 12:48:36 -0600 From: Willie Gillespie <wgillespie+fulldisclosure@...eng.com> To: Philip Whitehouse <philip@...uk.com>, Bipin Gautam <bipin.gautam@...il.com> Cc: fulldisclosure <fulldisclosure@...lists.org> Subject: Re: [FD] Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction You are both right. * You can get the full resolution copy of the profile picture by modifying the URL in various ways. * You can easily get the URL of any user's profile picture if you know their profile URL or user id. * But all this is because Facebook considers the photo "public information" and does not try to restrict it. [1] [1] https://www.facebook.com/help/193629617349922 On 04/01/2014 08:49 AM, Philip Whitehouse wrote: > Again they need the URL. > > If you have a way to determine the URL of a specific user's profile image from public info that would be a vulnerability. > > Simply the ability for a user or allowed visitor to copy the URL is not. > > You can determine who can see the URL in your Facebook privacy settings. > > Philip Whitehouse > > ----- Reply message ----- > From: "Bipin Gautam" <bipin.gautam@...il.com> > To: "Philip Whitehouse" <philip@...uk.com> > Cc: "fulldisclosure" <fulldisclosure@...lists.org> > Subject: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction > Date: Tue, Apr 1, 2014 15:19 > > Hi, > > the POC is about "anyone being able to access anyone's facebook > profile picture in full resolution" + regardless of the ACL set to > their facebook profile picture (say; even when your profile picture > permission of your facebook is set as... viewable to "only me" or > "friends" ) ...anyone can see your full resolution profile picture > even without logging on to facebook with the following method! > > (Assumption: maybe if you (your ISP?) are using CDN and someone in > your ISP / region have already viewed the profile picture and as it is > already fetched locally / cached in local CDN so, other party can > access it? Does CND have IP restriction for a region / ISP ? ) > > Try... it works for me, Make sense ? > > > On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote: >> This is not a vulnerability. >> >> The image path is not predictable. Sharing the URL is by itself giving >> permission for the other party to see it. >> >> Even if it were possible to restrict access it could be circumvented by >> downloading it and emailing the file instead of the URL >> >> >> Philip Whitehouse >> >> ----- Reply message ----- >> From: "Bipin Gautam" <bipin.gautam@...il.com> >> To: "fulldisclosure" <fulldisclosure@...lists.org> >> Subject: Access anyone's Facebook "profile picture" in full resolution >> regardless of the ACL restriction >> Date: Tue, Apr 1, 2014 10:59 >> >> Hi List, >> >> I felt like writing / pointing this minor issue, as it as its "Facebook" ... >> >> This issue is due to the way facebook pictures are stored in CDN >> without authentication mechanism, during accessing it. (which would be >> way technically complicated to implement it) >> >> Also, it is a Facebook feature that... if you have full path of an >> image, you can pass it to anyone over the internet which they can >> access it directly (and the facebook user should not have unrealistic >> expectation to privacy. Hence, if someone can access an image they can >> save/email it to others, anyway.) >> >> >> POC: >> >> ( Please TEST it in a real profile, real world example and it should >> work. I obviously changed the URL, POC below, to gibberish >> "6549_16544614736_444444875_n.jpg" ) >> >> STEPS: >> >> You could try this by : >> >> - changing your own facebook profile picture viewable to "only me", >> then bookmark your own Facebook profile and logout and clear cache. >> >> - or then try different browser with your own profile from bookmark, >> without logging in to facebook! >> >> - or pass your FB profile to a friend, with the following instruction. >> >> ___ >> >> - then, in your browser, "Right click the Facebook profile image" that >> you want to access in full resolution (that have ACL as access to >> "only me" or "friends" ) > click "Copy image location" > paste it in >> notepad >> >> sample url you will get (this link below is broken) >> >> :[1] >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg >> >> >> to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, >> the url structure may be different, you just have to find and remove >> this middle part...) >> >> final modified url from above, which you can access the profile >> picture in full resolution via your browser : >> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg >> >> >> Respectfully, >> -bipin > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists