lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 01 Apr 2014 15:49:57 +0100
From: "Philip Whitehouse" <philip@...uk.com>
To: "Bipin Gautam" <bipin.gautam@...il.com>
Cc: fulldisclosure <fulldisclosure@...lists.org>
Subject: Re: [FD]
 Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

Again they need the URL.

If you have a way to determine the URL of a specific user's profile image from public info that would be a vulnerability.

Simply the ability for a user or allowed visitor to copy the URL is not.

You can determine who can see the URL in your Facebook privacy settings.

Philip Whitehouse

----- Reply message -----
From: "Bipin Gautam" <bipin.gautam@...il.com>
To: "Philip Whitehouse" <philip@...uk.com>
Cc: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction
Date: Tue, Apr 1, 2014 15:19

Hi,

the POC is about "anyone being able to access anyone's facebook
profile picture in full resolution" + regardless of the ACL set to
their facebook profile picture (say; even when your profile picture
permission of your facebook is set as... viewable to "only me" or
"friends" ) ...anyone can see your full resolution profile picture
even without logging on to facebook with the following method!

(Assumption: maybe if you (your ISP?) are using CDN and someone in
your ISP / region have already viewed the profile picture and as it is
already fetched locally / cached in local CDN so, other party can
access it? Does CND have IP restriction for a region / ISP ? )

Try... it works for me, Make sense ?


On 4/1/14, Philip Whitehouse <philip@...uk.com> wrote:
> This is not a vulnerability.
>
> The image path is not predictable. Sharing the URL is by itself giving
> permission for the other party to see it.
>
> Even if it were possible to restrict access it could be circumvented by
> downloading it and emailing the file instead of the URL
>
>
> Philip Whitehouse
>
> ----- Reply message -----
> From: "Bipin Gautam" <bipin.gautam@...il.com>
> To: "fulldisclosure" <fulldisclosure@...lists.org>
> Subject: Access anyone's Facebook "profile picture" in full resolution
> regardless of the ACL restriction
> Date: Tue, Apr 1, 2014 10:59
>
> Hi List,
>
> I felt like writing / pointing this minor issue, as it as its "Facebook" ...
>
> This issue is due to the way facebook pictures are stored in CDN
> without authentication mechanism, during accessing it. (which would be
> way technically complicated to implement it)
>
> Also, it is a Facebook feature that... if you have full path of an
> image, you can pass it to anyone over the internet which they can
> access it directly (and the facebook user should not have unrealistic
> expectation to privacy. Hence, if someone can access an image they can
> save/email it to others, anyway.)
>
>
> POC:
>
> ( Please TEST it in a real profile, real world example and it should
> work. I obviously changed the URL, POC below, to gibberish
> "6549_16544614736_444444875_n.jpg" )
>
> STEPS:
>
> You could try this by :
>
> - changing your own facebook profile picture viewable to "only me",
> then bookmark your own Facebook profile and logout and clear cache.
>
> - or then try different browser with your own profile from bookmark,
> without logging in to facebook!
>
> - or pass your FB profile to a friend, with the following instruction.
>
> ___
>
> - then, in your browser, "Right click the Facebook profile image" that
> you want to access in full resolution (that have ACL as access to
> "only me" or "friends" ) > click "Copy image location" > paste it in
> notepad
>
> sample url you will get (this link below is broken)
>
> :[1]
> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
>
>
> to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
> the url structure may be different, you just have to find and remove
> this middle part...)
>
> final modified url from above, which you can access the profile
> picture in full resolution via your browser :
>
> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg
>
>
> Respectfully,
> -bipin

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists