lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 01 Apr 2014 12:48:36 -0600
From: Willie Gillespie <wgillespie+fulldisclosure@...eng.com>
To: Philip Whitehouse <philip@...uk.com>, 
	Bipin Gautam <bipin.gautam@...il.com>
Cc: fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD] Access anyone's Facebook "profile picture" in full
 resolution regardless of the ACL restriction

You are both right.

* You can get the full resolution copy of the profile picture by 
modifying the URL in various ways.

* You can easily get the URL of any user's profile picture if you know 
their profile URL or user id.

* But all this is because Facebook considers the photo "public 
information" and does not try to restrict it. [1]

[1] https://www.facebook.com/help/193629617349922

On 04/01/2014 08:49 AM, Philip Whitehouse wrote:
> Again they need the URL.
>
> If you have a way to determine the URL of a specific user's profile image from public info that would be a vulnerability.
>
> Simply the ability for a user or allowed visitor to copy the URL is not.
>
> You can determine who can see the URL in your Facebook privacy settings.
>
> Philip Whitehouse
>
> ----- Reply message -----
> From: "Bipin Gautam" <bipin.gautam@...il.com>
> To: "Philip Whitehouse" <philip@...uk.com>
> Cc: "fulldisclosure" <fulldisclosure@...lists.org>
> Subject: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction
> Date: Tue, Apr 1, 2014 15:19
>
> Hi,
>
> the POC is about "anyone being able to access anyone's facebook
> profile picture in full resolution" + regardless of the ACL set to
> their facebook profile picture (say; even when your profile picture
> permission of your facebook is set as... viewable to "only me" or
> "friends" ) ...anyone can see your full resolution profile picture
> even without logging on to facebook with the following method!
>
> (Assumption: maybe if you (your ISP?) are using CDN and someone in
> your ISP / region have already viewed the profile picture and as it is
> already fetched locally / cached in local CDN so, other party can
> access it? Does CND have IP restriction for a region / ISP ? )
>
> Try... it works for me, Make sense ?
>
>
> On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote:
>> This is not a vulnerability.
>>
>> The image path is not predictable. Sharing the URL is by itself giving
>> permission for the other party to see it.
>>
>> Even if it were possible to restrict access it could be circumvented by
>> downloading it and emailing the file instead of the URL
>>
>>
>> Philip Whitehouse
>>
>> ----- Reply message -----
>> From: "Bipin Gautam" <bipin.gautam@...il.com>
>> To: "fulldisclosure" <fulldisclosure@...lists.org>
>> Subject: Access anyone's Facebook "profile picture" in full resolution
>> regardless of the ACL restriction
>> Date: Tue, Apr 1, 2014 10:59
>>
>> Hi List,
>>
>> I felt like writing / pointing this minor issue, as it as its "Facebook" ...
>>
>> This issue is due to the way facebook pictures are stored in CDN
>> without authentication mechanism, during accessing it. (which would be
>> way technically complicated to implement it)
>>
>> Also, it is a Facebook feature that... if you have full path of an
>> image, you can pass it to anyone over the internet which they can
>> access it directly (and the facebook user should not have unrealistic
>> expectation to privacy. Hence, if someone can access an image they can
>> save/email it to others, anyway.)
>>
>>
>> POC:
>>
>> ( Please TEST it in a real profile, real world example and it should
>> work. I obviously changed the URL, POC below, to gibberish
>> "6549_16544614736_444444875_n.jpg" )
>>
>> STEPS:
>>
>> You could try this by :
>>
>> - changing your own facebook profile picture viewable to "only me",
>> then bookmark your own Facebook profile and logout and clear cache.
>>
>> - or then try different browser with your own profile from bookmark,
>> without logging in to facebook!
>>
>> - or pass your FB profile to a friend, with the following instruction.
>>
>> ___
>>
>> - then, in your browser, "Right click the Facebook profile image" that
>> you want to access in full resolution (that have ACL as access to
>> "only me" or "friends" ) > click "Copy image location" > paste it in
>> notepad
>>
>> sample url you will get (this link below is broken)
>>
>> :[1]
>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
>>
>>
>> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
>> the url structure may be different, you just have to find and remove
>> this middle part...)
>>
>> final modified url from above, which you can access the profile
>> picture in full resolution via your browser :
>>
>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg
>>
>>
>> Respectfully,
>> -bipin
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists