lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140401202300.GP2288@rincewind.skullsecurity.org>
Date: Tue, 1 Apr 2014 13:23:00 -0700
From: Ron <ron@...llsecurity.net>
To: Eric Rand <eric.rand@...wnhatsecurity.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Access anyone's Facebook "profile picture" in full
 resolution regardless of the ACL restriction

By that same token, passwords, private keys, and any sort of signatures
should also be considered an issue. Sure, passwords are effectively
security by obscurity, but with enough entropy and the ability to detect
abuses, it's not an issue.

So essentially, it's *maybe* a vulnerability in the academic sense, but
this is the real world. On that note, I was gonna put "in before
arbitrary file upload to youtube", but somebody else beat me to it. :)

Ron

On 2014-04-01 11:46, Eric Rand wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Security through obscurity is not security at all; if you are going to
> provide ACLs, then you have an ethical obligation to ensure that they
> do work regardless of the access path of the file.
> 
> Compromising a facebook account and 'leaking' the image URLs for
> access by other persons provides a means of obscuring the path of
> leakage, thus compromising the capability of auditing the source of
> the breach.
> 
> In cases where the breach violates the law, as per California's
> statutes against 'revenge porn' and the like, this directly inhibits
> the ability of police to investigate the breach.
> 
> Accordingly, just as in the case of the AT&T "breach", Facebook is
> keeping data in a publicly accessible fashion that should not be
> publicly accessible.
> 
> The best practices for these situations is to enforce ACLs by
> authenticating those users requesting a file to ensure that they are
> permitted to do so, instead of relying on knowledge of the URL as the
> authorization token.
> 
> On 04/01/2014 07:49 AM, Philip Whitehouse wrote:
> > Again they need the URL.
> > 
> > If you have a way to determine the URL of a specific user's profile
> > image from public info that would be a vulnerability.
> > 
> > Simply the ability for a user or allowed visitor to copy the URL is
> > not.
> > 
> > You can determine who can see the URL in your Facebook privacy
> > settings.
> > 
> > Philip Whitehouse
> > 
> > ----- Reply message ----- From: "Bipin Gautam"
> > <bipin.gautam@...il.com> To: "Philip Whitehouse"
> > <philip@...uk.com> Cc: "fulldisclosure"
> > <fulldisclosure@...lists.org> Subject: Access anyone's Facebook
> > "profile picture" in full resolution regardless of the ACL
> > restriction Date: Tue, Apr 1, 2014 15:19
> > 
> > Hi,
> > 
> > the POC is about "anyone being able to access anyone's facebook 
> > profile picture in full resolution" + regardless of the ACL set to 
> > their facebook profile picture (say; even when your profile
> > picture permission of your facebook is set as... viewable to "only
> > me" or "friends" ) ...anyone can see your full resolution profile
> > picture even without logging on to facebook with the following
> > method!
> > 
> > (Assumption: maybe if you (your ISP?) are using CDN and someone in 
> > your ISP / region have already viewed the profile picture and as it
> > is already fetched locally / cached in local CDN so, other party
> > can access it? Does CND have IP restriction for a region / ISP ? )
> > 
> > Try... it works for me, Make sense ?
> > 
> > 
> > On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote:
> >> This is not a vulnerability.
> >> 
> >> The image path is not predictable. Sharing the URL is by itself
> >> giving permission for the other party to see it.
> >> 
> >> Even if it were possible to restrict access it could be
> >> circumvented by downloading it and emailing the file instead of
> >> the URL
> >> 
> >> 
> >> Philip Whitehouse
> >> 
> >> ----- Reply message ----- From: "Bipin Gautam"
> >> <bipin.gautam@...il.com> To: "fulldisclosure"
> >> <fulldisclosure@...lists.org> Subject: Access anyone's Facebook
> >> "profile picture" in full resolution regardless of the ACL
> >> restriction Date: Tue, Apr 1, 2014 10:59
> >> 
> >> Hi List,
> >> 
> >> I felt like writing / pointing this minor issue, as it as its
> >> "Facebook" ...
> >> 
> >> This issue is due to the way facebook pictures are stored in CDN 
> >> without authentication mechanism, during accessing it. (which
> >> would be way technically complicated to implement it)
> >> 
> >> Also, it is a Facebook feature that... if you have full path of
> >> an image, you can pass it to anyone over the internet which they
> >> can access it directly (and the facebook user should not have
> >> unrealistic expectation to privacy. Hence, if someone can access
> >> an image they can save/email it to others, anyway.)
> >> 
> >> 
> >> POC:
> >> 
> >> ( Please TEST it in a real profile, real world example and it
> >> should work. I obviously changed the URL, POC below, to
> >> gibberish "6549_16544614736_444444875_n.jpg" )
> >> 
> >> STEPS:
> >> 
> >> You could try this by :
> >> 
> >> - changing your own facebook profile picture viewable to "only
> >> me", then bookmark your own Facebook profile and logout and clear
> >> cache.
> >> 
> >> - or then try different browser with your own profile from
> >> bookmark, without logging in to facebook!
> >> 
> >> - or pass your FB profile to a friend, with the following
> >> instruction.
> >> 
> >> ___
> >> 
> >> - then, in your browser, "Right click the Facebook profile image"
> >> that you want to access in full resolution (that have ACL as
> >> access to "only me" or "friends" ) > click "Copy image location"
> >> > paste it in notepad
> >> 
> >> sample url you will get (this link below is broken)
> >> 
> >> :[1] 
> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
> >>
> >>
> >>
> >> 
> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
> >> the url structure may be different, you just have to find and
> >> remove this middle part...)
> >> 
> >> final modified url from above, which you can access the profile 
> >> picture in full resolution via your browser :
> >> 
> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg
> >>
> >>
> >>
> >> 
> Respectfully,
> >> -bipin
> > 
> > _______________________________________________ Sent through the
> > Full Disclosure mailing list 
> > http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
> > http://seclists.org/fulldisclosure/
> > 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJTOwmQAAoJELegdynGqmmahBQQAIt2RgaoHbhPGwQiufr5JmJV
> eKCvZPIIEuuiydMvvhXajRHsNDYE2uYiahEXRyTN3dzGYk3+ynHV9zVSpVzfUv6m
> tYRegnHPG59ycZHfye5baYPvsDy/ZHEng/nfTOPHPILnwXpm6XJRgoYzjCoytg1f
> GBPo6+OxTstiD09dGhQ1P6ZmP7ueDmXJIwpvCC99mjlgaa7fg3o1u8/DBoyhokzd
> TptzM1xjEUdCOfLPqBn6OFhqdwluOTT89s0Dp5CIBzc9vdHjyCI9v/1G+UyPwxXO
> PmFlGH9bNnsmk1N2dKDNK95jRhM731kbWca3YiCL/ooW2KVWBzfnRVYIfgVXyweV
> jeCJvCRrsoHzcg33NH4rfL8wfhEw8zO6dF5DpRE+t6zhqzjsPUNbofJpZqr0682K
> L/r0To0y0F/oYVmjFsQZcmpMYiyuYfSUKuU+qcRNxMK7bvTV/pmRdoGeCMXNQucx
> 2YA68GSnWARXU36XX6tEiLAJwkzWMULg21D0inLRrQT1jMPlR5xQIjE2pF8GVYwN
> ZF0YFSrVWEPSxx2hXjsmLAkbJAuBSHQHIqEAb+4v3O+fIJRlD5V98NRH7Ra/9XX9
> 1XWXIFMTD8MboB0YBYPirKj+a29X0MldFyTZCtMyYOiNa3BdhwlpKAMbUZWFKyJW
> I8refItlaTjLhAUCnyDy
> =fudo
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ