| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <12CDEC01-1244-4FE2-B98A-AE33B1CA3E8C@gmail.com> Date: Thu, 3 Apr 2014 15:08:13 -0400 From: William Reyor <opticfiber@...il.com> To: illwill <illwill@...mob.org> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction That's been on tracksomebody.com forever. See http://tracksomebody.com/?p=173 William Reyor @wreyor > On Apr 3, 2014, at 12:07 PM, illwill <illwill@...mob.org> wrote: > > did you know the second section of the filename is the users actual > facebook user id? > 6549_*16544614736*_444444875_n.jpg > https://www.facebook.com/profile.php?id=*16544614736 > > * > -illwill > illwill@...mob.org > http://illmob.org > >> On 4/1/2014 5:59 AM, Bipin Gautam wrote: >> Hi List, >> >> I felt like writing / pointing this minor issue, as it as its "Facebook" ... >> >> This issue is due to the way facebook pictures are stored in CDN >> without authentication mechanism, during accessing it. (which would be >> way technically complicated to implement it) >> >> Also, it is a Facebook feature that... if you have full path of an >> image, you can pass it to anyone over the internet which they can >> access it directly (and the facebook user should not have unrealistic >> expectation to privacy. Hence, if someone can access an image they can >> save/email it to others, anyway.) >> >> >> POC: >> >> ( Please TEST it in a real profile, real world example and it should >> work. I obviously changed the URL, POC below, to gibberish >> "6549_16544614736_444444875_n.jpg" ) >> >> STEPS: >> >> You could try this by : >> >> - changing your own facebook profile picture viewable to "only me", >> then bookmark your own Facebook profile and logout and clear cache. >> >> - or then try different browser with your own profile from bookmark, >> without logging in to facebook! >> >> - or pass your FB profile to a friend, with the following instruction. >> >> ___ >> >> - then, in your browser, "Right click the Facebook profile image" that >> you want to access in full resolution (that have ACL as access to >> "only me" or "friends" ) > click "Copy image location" > paste it in >> notepad >> >> sample url you will get (this link below is broken) >> >> :[1] https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg >> >> >> to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, >> the url structure may be different, you just have to find and remove >> this middle part...) >> >> final modified url from above, which you can access the profile >> picture in full resolution via your browser : >> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg >> >> >> Respectfully, >> -bipin >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists