Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

[Andreas Lindh <addelindh () gmail com>]

Hey guys,

Please don't turn this into a "Google/YouTube arbitrary file upload"
thread, ok? :)

kthxbye

Andreas


2014-04-01 20:48 GMT+02:00 Willie Gillespie <
wgillespie+fulldisclosure () es2eng com>:

> You are both right.
>
> * You can get the full resolution copy of the profile picture by modifying
> the URL in various ways.
>
> * You can easily get the URL of any user's profile picture if you know
> their profile URL or user id.
>
> * But all this is because Facebook considers the photo "public
> information" and does not try to restrict it. [1]
>
> [1] https://www.facebook.com/help/193629617349922
>
> On 04/01/2014 08:49 AM, Philip Whitehouse wrote:
>
> > Again they need the URL.
> >
> > If you have a way to determine the URL of a specific user's profile image
> > from public info that would be a vulnerability.
> >
> > Simply the ability for a user or allowed visitor to copy the URL is not.
> >
> > You can determine who can see the URL in your Facebook privacy settings.
> >
> > Philip Whitehouse
> >
> > ----- Reply message -----
> > From: "Bipin Gautam" <bipin.gautam () gmail com>
> > To: "Philip Whitehouse" <philip () whiuk com>
> > Cc: "fulldisclosure" <fulldisclosure () seclists org>
> > Subject: Access anyone's Facebook "profile picture" in full resolution
> > regardless of the ACL restriction
> > Date: Tue, Apr 1, 2014 15:19
> >
> > Hi,
> >
> > the POC is about "anyone being able to access anyone's facebook
> > profile picture in full resolution" + regardless of the ACL set to
> > their facebook profile picture (say; even when your profile picture
> > permission of your facebook is set as... viewable to "only me" or
> > "friends" ) ...anyone can see your full resolution profile picture
> > even without logging on to facebook with the following method!
> >
> > (Assumption: maybe if you (your ISP?) are using CDN and someone in
> > your ISP / region have already viewed the profile picture and as it is
> > already fetched locally / cached in local CDN so, other party can
> > access it? Does CND have IP restriction for a region / ISP ? )
> >
> > Try... it works for me, Make sense ?
> >
> >
> > On 4/1/14, Philip Whitehouse <philip () whiuk com> wrote:
> >
> > > This is not a vulnerability.
> > >
> > > The image path is not predictable. Sharing the URL is by itself giving
> > > permission for the other party to see it.
> > >
> > > Even if it were possible to restrict access it could be circumvented by
> > > downloading it and emailing the file instead of the URL
> > >
> > >
> > > Philip Whitehouse
> > >
> > > ----- Reply message -----
> > > From: "Bipin Gautam" <bipin.gautam () gmail com>
> > > To: "fulldisclosure" <fulldisclosure () seclists org>
> > > Subject: Access anyone's Facebook "profile picture" in full resolution
> > > regardless of the ACL restriction
> > > Date: Tue, Apr 1, 2014 10:59
> > >
> > > Hi List,
> > >
> > > I felt like writing / pointing this minor issue, as it as its "Facebook"
> > > ...
> > >
> > > This issue is due to the way facebook pictures are stored in CDN
> > > without authentication mechanism, during accessing it. (which would be
> > > way technically complicated to implement it)
> > >
> > > Also, it is a Facebook feature that... if you have full path of an
> > > image, you can pass it to anyone over the internet which they can
> > > access it directly (and the facebook user should not have unrealistic
> > > expectation to privacy. Hence, if someone can access an image they can
> > > save/email it to others, anyway.)
> > >
> > >
> > > POC:
> > >
> > > ( Please TEST it in a real profile, real world example and it should
> > > work. I obviously changed the URL, POC below, to gibberish
> > > "6549_16544614736_444444875_n.jpg" )
> > >
> > > STEPS:
> > >
> > > You could try this by :
> > >
> > > - changing your own facebook profile picture viewable to "only me",
> > > then bookmark your own Facebook profile and logout and clear cache.
> > >
> > > - or then try different browser with your own profile from bookmark,
> > > without logging in to facebook!
> > >
> > > - or pass your FB profile to a friend, with the following instruction.
> > >
> > > ___
> > >
> > > - then, in your browser, "Right click the Facebook profile image" that
> > > you want to access in full resolution (that have ACL as access to
> > > "only me" or "friends" ) > click "Copy image location" > paste it in
> > > notepad
> > >
> > > sample url you will get (this link below is broken)
> > >
> > > :[1]
> > > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/
> > > t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg
> > >
> > >
> > > to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
> > > the url structure may be different, you just have to find and remove
> > > this middle part...)
> > >
> > > final modified url from above, which you can access the profile
> > > picture in full resolution via your browser :
> > >
> > > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/
> > > t1.0-1/6549_16544614736_444444875_n.jpg
> > >
> > >
> > > Respectfully,
> > > -bipin
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/