lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Apr 2014 13:36:07 -0700
From: coderaptor <coderaptor@...il.com>
To: Ron <ron@...llsecurity.net>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Access anyone's Facebook "profile picture" in full
 resolution regardless of the ACL restriction

Apparently, this issue was discovered earlier...

http://flagdefenders.blogspot.com/2013/10/facebook-image-privacy-keep-calm-and-be.html

-coderaptor

On Tue, Apr 1, 2014 at 1:23 PM, Ron <ron@...llsecurity.net> wrote:
> By that same token, passwords, private keys, and any sort of signatures
> should also be considered an issue. Sure, passwords are effectively
> security by obscurity, but with enough entropy and the ability to detect
> abuses, it's not an issue.
>
> So essentially, it's *maybe* a vulnerability in the academic sense, but
> this is the real world. On that note, I was gonna put "in before
> arbitrary file upload to youtube", but somebody else beat me to it. :)
>
> Ron
>
> On 2014-04-01 11:46, Eric Rand wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Security through obscurity is not security at all; if you are going to
>> provide ACLs, then you have an ethical obligation to ensure that they
>> do work regardless of the access path of the file.
>>
>> Compromising a facebook account and 'leaking' the image URLs for
>> access by other persons provides a means of obscuring the path of
>> leakage, thus compromising the capability of auditing the source of
>> the breach.
>>
>> In cases where the breach violates the law, as per California's
>> statutes against 'revenge porn' and the like, this directly inhibits
>> the ability of police to investigate the breach.
>>
>> Accordingly, just as in the case of the AT&T "breach", Facebook is
>> keeping data in a publicly accessible fashion that should not be
>> publicly accessible.
>>
>> The best practices for these situations is to enforce ACLs by
>> authenticating those users requesting a file to ensure that they are
>> permitted to do so, instead of relying on knowledge of the URL as the
>> authorization token.
>>
>> On 04/01/2014 07:49 AM, Philip Whitehouse wrote:
>> > Again they need the URL.
>> >
>> > If you have a way to determine the URL of a specific user's profile
>> > image from public info that would be a vulnerability.
>> >
>> > Simply the ability for a user or allowed visitor to copy the URL is
>> > not.
>> >
>> > You can determine who can see the URL in your Facebook privacy
>> > settings.
>> >
>> > Philip Whitehouse
>> >
>> > ----- Reply message ----- From: "Bipin Gautam"
>> > <bipin.gautam@...il.com> To: "Philip Whitehouse"
>> > <philip@...uk.com> Cc: "fulldisclosure"
>> > <fulldisclosure@...lists.org> Subject: Access anyone's Facebook
>> > "profile picture" in full resolution regardless of the ACL
>> > restriction Date: Tue, Apr 1, 2014 15:19
>> >
>> > Hi,
>> >
>> > the POC is about "anyone being able to access anyone's facebook
>> > profile picture in full resolution" + regardless of the ACL set to
>> > their facebook profile picture (say; even when your profile
>> > picture permission of your facebook is set as... viewable to "only
>> > me" or "friends" ) ...anyone can see your full resolution profile
>> > picture even without logging on to facebook with the following
>> > method!
>> >
>> > (Assumption: maybe if you (your ISP?) are using CDN and someone in
>> > your ISP / region have already viewed the profile picture and as it
>> > is already fetched locally / cached in local CDN so, other party
>> > can access it? Does CND have IP restriction for a region / ISP ? )
>> >
>> > Try... it works for me, Make sense ?
>> >
>> >
>> > On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote:
>> >> This is not a vulnerability.
>> >>
>> >> The image path is not predictable. Sharing the URL is by itself
>> >> giving permission for the other party to see it.
>> >>
>> >> Even if it were possible to restrict access it could be
>> >> circumvented by downloading it and emailing the file instead of
>> >> the URL
>> >>
>> >>
>> >> Philip Whitehouse
>> >>
>> >> ----- Reply message ----- From: "Bipin Gautam"
>> >> <bipin.gautam@...il.com> To: "fulldisclosure"
>> >> <fulldisclosure@...lists.org> Subject: Access anyone's Facebook
>> >> "profile picture" in full resolution regardless of the ACL
>> >> restriction Date: Tue, Apr 1, 2014 10:59
>> >>
>> >> Hi List,
>> >>
>> >> I felt like writing / pointing this minor issue, as it as its
>> >> "Facebook" ...
>> >>
>> >> This issue is due to the way facebook pictures are stored in CDN
>> >> without authentication mechanism, during accessing it. (which
>> >> would be way technically complicated to implement it)
>> >>
>> >> Also, it is a Facebook feature that... if you have full path of
>> >> an image, you can pass it to anyone over the internet which they
>> >> can access it directly (and the facebook user should not have
>> >> unrealistic expectation to privacy. Hence, if someone can access
>> >> an image they can save/email it to others, anyway.)
>> >>
>> >>
>> >> POC:
>> >>
>> >> ( Please TEST it in a real profile, real world example and it
>> >> should work. I obviously changed the URL, POC below, to
>> >> gibberish "6549_16544614736_444444875_n.jpg" )
>> >>
>> >> STEPS:
>> >>
>> >> You could try this by :
>> >>
>> >> - changing your own facebook profile picture viewable to "only
>> >> me", then bookmark your own Facebook profile and logout and clear
>> >> cache.
>> >>
>> >> - or then try different browser with your own profile from
>> >> bookmark, without logging in to facebook!
>> >>
>> >> - or pass your FB profile to a friend, with the following
>> >> instruction.
>> >>
>> >> ___
>> >>
>> >> - then, in your browser, "Right click the Facebook profile image"
>> >> that you want to access in full resolution (that have ACL as
>> >> access to "only me" or "friends" ) > click "Copy image location"
>> >> > paste it in notepad
>> >>
>> >> sample url you will get (this link below is broken)
>> >>
>> >> :[1]
>> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
>> >>
>> >>
>> >>
>> >>
>> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
>> >> the url structure may be different, you just have to find and
>> >> remove this middle part...)
>> >>
>> >> final modified url from above, which you can access the profile
>> >> picture in full resolution via your browser :
>> >>
>> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg
>> >>
>> >>
>> >>
>> >>
>> Respectfully,
>> >> -bipin
>> >
>> > _______________________________________________ Sent through the
>> > Full Disclosure mailing list
>> > http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
>> > http://seclists.org/fulldisclosure/
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJTOwmQAAoJELegdynGqmmahBQQAIt2RgaoHbhPGwQiufr5JmJV
>> eKCvZPIIEuuiydMvvhXajRHsNDYE2uYiahEXRyTN3dzGYk3+ynHV9zVSpVzfUv6m
>> tYRegnHPG59ycZHfye5baYPvsDy/ZHEng/nfTOPHPILnwXpm6XJRgoYzjCoytg1f
>> GBPo6+OxTstiD09dGhQ1P6ZmP7ueDmXJIwpvCC99mjlgaa7fg3o1u8/DBoyhokzd
>> TptzM1xjEUdCOfLPqBn6OFhqdwluOTT89s0Dp5CIBzc9vdHjyCI9v/1G+UyPwxXO
>> PmFlGH9bNnsmk1N2dKDNK95jRhM731kbWca3YiCL/ooW2KVWBzfnRVYIfgVXyweV
>> jeCJvCRrsoHzcg33NH4rfL8wfhEw8zO6dF5DpRE+t6zhqzjsPUNbofJpZqr0682K
>> L/r0To0y0F/oYVmjFsQZcmpMYiyuYfSUKuU+qcRNxMK7bvTV/pmRdoGeCMXNQucx
>> 2YA68GSnWARXU36XX6tEiLAJwkzWMULg21D0inLRrQT1jMPlR5xQIjE2pF8GVYwN
>> ZF0YFSrVWEPSxx2hXjsmLAkbJAuBSHQHIqEAb+4v3O+fIJRlD5V98NRH7Ra/9XX9
>> 1XWXIFMTD8MboB0YBYPirKj+a29X0MldFyTZCtMyYOiNa3BdhwlpKAMbUZWFKyJW
>> I8refItlaTjLhAUCnyDy
>> =fudo
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> http://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists