lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Apr 2014 20:04:13 +0545
From: Bipin Gautam <>
To: Philip Whitehouse <>
Cc: fulldisclosure <>
Subject: Re: [FD] Access anyone's Facebook "profile picture" in full
 resolution regardless of the ACL restriction


the POC is about "anyone being able to access anyone's facebook
profile picture in full resolution" + regardless of the ACL set to
their facebook profile picture (say; even when your profile picture
permission of your facebook is set as... viewable to "only me" or
"friends" ) ...anyone can see your full resolution profile picture
even without logging on to facebook with the following method!

(Assumption: maybe if you (your ISP?) are using CDN and someone in
your ISP / region have already viewed the profile picture and as it is
already fetched locally / cached in local CDN so, other party can
access it? Does CND have IP restriction for a region / ISP ? )

Try... it works for me, Make sense ?

On 4/1/14, Philip Whitehouse <> wrote:
> This is not a vulnerability.
> The image path is not predictable. Sharing the URL is by itself giving
> permission for the other party to see it.
> Even if it were possible to restrict access it could be circumvented by
> downloading it and emailing the file instead of the URL
> Philip Whitehouse
> ----- Reply message -----
> From: "Bipin Gautam" <>
> To: "fulldisclosure" <>
> Subject: Access anyone's Facebook "profile picture" in full resolution
> regardless of the ACL restriction
> Date: Tue, Apr 1, 2014 10:59
> Hi List,
> I felt like writing / pointing this minor issue, as it as its "Facebook" ...
> This issue is due to the way facebook pictures are stored in CDN
> without authentication mechanism, during accessing it. (which would be
> way technically complicated to implement it)
> Also, it is a Facebook feature that... if you have full path of an
> image, you can pass it to anyone over the internet which they can
> access it directly (and the facebook user should not have unrealistic
> expectation to privacy. Hence, if someone can access an image they can
> save/email it to others, anyway.)
> POC:
> ( Please TEST it in a real profile, real world example and it should
> work. I obviously changed the URL, POC below, to gibberish
> "6549_16544614736_444444875_n.jpg" )
> You could try this by :
> - changing your own facebook profile picture viewable to "only me",
> then bookmark your own Facebook profile and logout and clear cache.
> - or then try different browser with your own profile from bookmark,
> without logging in to facebook!
> - or pass your FB profile to a friend, with the following instruction.
> ___
> - then, in your browser, "Right click the Facebook profile image" that
> you want to access in full resolution (that have ACL as access to
> "only me" or "friends" ) > click "Copy image location" > paste it in
> notepad
> sample url you will get (this link below is broken)
> :[1]
> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
> the url structure may be different, you just have to find and remove
> this middle part...)
> final modified url from above, which you can access the profile
> picture in full resolution via your browser :
> Respectfully,
> -bipin

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists