lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Apr 2014 21:01:03 +0200
From: Andreas Lindh <addelindh@...il.com>
To: Willie Gillespie <wgillespie+fulldisclosure@...eng.com>
Cc: fulldisclosure <fulldisclosure@...lists.org>,
	Philip Whitehouse <philip@...uk.com>
Subject: Re: [FD] Access anyone's Facebook "profile picture" in full
 resolution regardless of the ACL restriction

Hey guys,

Please don't turn this into a "Google/YouTube arbitrary file upload"
thread, ok? :)

kthxbye

Andreas


2014-04-01 20:48 GMT+02:00 Willie Gillespie <
wgillespie+fulldisclosure@...eng.com>:

> You are both right.
>
> * You can get the full resolution copy of the profile picture by modifying
> the URL in various ways.
>
> * You can easily get the URL of any user's profile picture if you know
> their profile URL or user id.
>
> * But all this is because Facebook considers the photo "public
> information" and does not try to restrict it. [1]
>
> [1] https://www.facebook.com/help/193629617349922
>
> On 04/01/2014 08:49 AM, Philip Whitehouse wrote:
>
>> Again they need the URL.
>>
>> If you have a way to determine the URL of a specific user's profile image
>> from public info that would be a vulnerability.
>>
>> Simply the ability for a user or allowed visitor to copy the URL is not.
>>
>> You can determine who can see the URL in your Facebook privacy settings.
>>
>> Philip Whitehouse
>>
>> ----- Reply message -----
>> From: "Bipin Gautam" <bipin.gautam@...il.com>
>> To: "Philip Whitehouse" <philip@...uk.com>
>> Cc: "fulldisclosure" <fulldisclosure@...lists.org>
>> Subject: Access anyone's Facebook "profile picture" in full resolution
>> regardless of the ACL restriction
>> Date: Tue, Apr 1, 2014 15:19
>>
>> Hi,
>>
>> the POC is about "anyone being able to access anyone's facebook
>> profile picture in full resolution" + regardless of the ACL set to
>> their facebook profile picture (say; even when your profile picture
>> permission of your facebook is set as... viewable to "only me" or
>> "friends" ) ...anyone can see your full resolution profile picture
>> even without logging on to facebook with the following method!
>>
>> (Assumption: maybe if you (your ISP?) are using CDN and someone in
>> your ISP / region have already viewed the profile picture and as it is
>> already fetched locally / cached in local CDN so, other party can
>> access it? Does CND have IP restriction for a region / ISP ? )
>>
>> Try... it works for me, Make sense ?
>>
>>
>> On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote:
>>
>>> This is not a vulnerability.
>>>
>>> The image path is not predictable. Sharing the URL is by itself giving
>>> permission for the other party to see it.
>>>
>>> Even if it were possible to restrict access it could be circumvented by
>>> downloading it and emailing the file instead of the URL
>>>
>>>
>>> Philip Whitehouse
>>>
>>> ----- Reply message -----
>>> From: "Bipin Gautam" <bipin.gautam@...il.com>
>>> To: "fulldisclosure" <fulldisclosure@...lists.org>
>>> Subject: Access anyone's Facebook "profile picture" in full resolution
>>> regardless of the ACL restriction
>>> Date: Tue, Apr 1, 2014 10:59
>>>
>>> Hi List,
>>>
>>> I felt like writing / pointing this minor issue, as it as its "Facebook"
>>> ...
>>>
>>> This issue is due to the way facebook pictures are stored in CDN
>>> without authentication mechanism, during accessing it. (which would be
>>> way technically complicated to implement it)
>>>
>>> Also, it is a Facebook feature that... if you have full path of an
>>> image, you can pass it to anyone over the internet which they can
>>> access it directly (and the facebook user should not have unrealistic
>>> expectation to privacy. Hence, if someone can access an image they can
>>> save/email it to others, anyway.)
>>>
>>>
>>> POC:
>>>
>>> ( Please TEST it in a real profile, real world example and it should
>>> work. I obviously changed the URL, POC below, to gibberish
>>> "6549_16544614736_444444875_n.jpg" )
>>>
>>> STEPS:
>>>
>>> You could try this by :
>>>
>>> - changing your own facebook profile picture viewable to "only me",
>>> then bookmark your own Facebook profile and logout and clear cache.
>>>
>>> - or then try different browser with your own profile from bookmark,
>>> without logging in to facebook!
>>>
>>> - or pass your FB profile to a friend, with the following instruction.
>>>
>>> ___
>>>
>>> - then, in your browser, "Right click the Facebook profile image" that
>>> you want to access in full resolution (that have ACL as access to
>>> "only me" or "friends" ) > click "Copy image location" > paste it in
>>> notepad
>>>
>>> sample url you will get (this link below is broken)
>>>
>>> :[1]
>>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/
>>> t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
>>>
>>>
>>> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
>>> the url structure may be different, you just have to find and remove
>>> this middle part...)
>>>
>>> final modified url from above, which you can access the profile
>>> picture in full resolution via your browser :
>>>
>>> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/
>>> t1.0-1/6549_16544614736_444444875_n.jpg
>>>
>>>
>>> Respectfully,
>>> -bipin
>>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists