lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20140401125132.2DB9B9EE04@scarlet.richardwhiuk.com>
Date: Tue, 01 Apr 2014 13:51:17 +0100
From: "Philip Whitehouse" <philip@...uk.com>
To: "Bipin Gautam" <bipin.gautam@...il.com>,
	"fulldisclosure" <fulldisclosure@...lists.org>
Subject: Re: [FD]
 Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

This is not a vulnerability.

The image path is not predictable. Sharing the URL is by itself giving permission for the other party to see it.

Even if it were possible to restrict access it could be circumvented by downloading it and emailing the file instead of the URL


Philip Whitehouse

----- Reply message -----
From: "Bipin Gautam" <bipin.gautam@...il.com>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction
Date: Tue, Apr 1, 2014 10:59

Hi List,

I felt like writing / pointing this minor issue, as it as its "Facebook" ...

This issue is due to the way facebook pictures are stored in CDN
without authentication mechanism, during accessing it. (which would be
way technically complicated to implement it)

Also, it is a Facebook feature that... if you have full path of an
image, you can pass it to anyone over the internet which they can
access it directly (and the facebook user should not have unrealistic
expectation to privacy. Hence, if someone can access an image they can
save/email it to others, anyway.)


POC:

( Please TEST it in a real profile, real world example and it should
work. I obviously changed the URL, POC below, to gibberish
"6549_16544614736_444444875_n.jpg" )

STEPS:

You could try this by :

- changing your own facebook profile picture viewable to "only me",
then bookmark your own Facebook profile and logout and clear cache.

- or then try different browser with your own profile from bookmark,
without logging in to facebook!

- or pass your FB profile to a friend, with the following instruction.

___

- then, in your browser, "Right click the Facebook profile image" that
you want to access in full resolution (that have ACL as access to
"only me" or "friends" ) > click "Copy image location" > paste it in
notepad

sample url you will get (this link below is broken)

:[1] https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg


to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
the url structure may be different, you just have to find and remove
this middle part...)

final modified url from above, which you can access the profile
picture in full resolution via your browser :

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg


Respectfully,
-bipin

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ