Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

From: coderaptor <coderaptor () gmail com>
Date: Tue, 1 Apr 2014 13:36:07 -0700
Apparently, this issue was discovered earlier...

http://flagdefenders.blogspot.com/2013/10/facebook-image-privacy-keep-calm-and-be.html

-coderaptor

On Tue, Apr 1, 2014 at 1:23 PM, Ron <ron () skullsecurity net> wrote:

By that same token, passwords, private keys, and any sort of signatures
should also be considered an issue. Sure, passwords are effectively
security by obscurity, but with enough entropy and the ability to detect
abuses, it's not an issue.

So essentially, it's *maybe* a vulnerability in the academic sense, but
this is the real world. On that note, I was gonna put "in before
arbitrary file upload to youtube", but somebody else beat me to it. :)

Ron

On 2014-04-01 11:46, Eric Rand wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security through obscurity is not security at all; if you are going to
provide ACLs, then you have an ethical obligation to ensure that they
do work regardless of the access path of the file.

Compromising a facebook account and 'leaking' the image URLs for
access by other persons provides a means of obscuring the path of
leakage, thus compromising the capability of auditing the source of
the breach.

In cases where the breach violates the law, as per California's
statutes against 'revenge porn' and the like, this directly inhibits
the ability of police to investigate the breach.

Accordingly, just as in the case of the AT&T "breach", Facebook is
keeping data in a publicly accessible fashion that should not be
publicly accessible.

The best practices for these situations is to enforce ACLs by
authenticating those users requesting a file to ensure that they are
permitted to do so, instead of relying on knowledge of the URL as the
authorization token.

On 04/01/2014 07:49 AM, Philip Whitehouse wrote:

Again they need the URL.

If you have a way to determine the URL of a specific user's profile
image from public info that would be a vulnerability.

Simply the ability for a user or allowed visitor to copy the URL is
not.

You can determine who can see the URL in your Facebook privacy
settings.

Philip Whitehouse

----- Reply message ----- From: "Bipin Gautam"
<bipin.gautam () gmail com> To: "Philip Whitehouse"
<philip () whiuk com> Cc: "fulldisclosure"
<fulldisclosure () seclists org> Subject: Access anyone's Facebook
"profile picture" in full resolution regardless of the ACL
restriction Date: Tue, Apr 1, 2014 15:19

Hi,

the POC is about "anyone being able to access anyone's facebook
profile picture in full resolution" + regardless of the ACL set to
their facebook profile picture (say; even when your profile
picture permission of your facebook is set as... viewable to "only
me" or "friends" ) ...anyone can see your full resolution profile
picture even without logging on to facebook with the following
method!

(Assumption: maybe if you (your ISP?) are using CDN and someone in
your ISP / region have already viewed the profile picture and as it
is already fetched locally / cached in local CDN so, other party
can access it? Does CND have IP restriction for a region / ISP ? )

Try... it works for me, Make sense ?


On 4/1/14, Philip Whitehouse <philip () whiuk com> wrote:

This is not a vulnerability.

The image path is not predictable. Sharing the URL is by itself
giving permission for the other party to see it.

Even if it were possible to restrict access it could be
circumvented by downloading it and emailing the file instead of
the URL


Philip Whitehouse

----- Reply message ----- From: "Bipin Gautam"
<bipin.gautam () gmail com> To: "fulldisclosure"
<fulldisclosure () seclists org> Subject: Access anyone's Facebook
"profile picture" in full resolution regardless of the ACL
restriction Date: Tue, Apr 1, 2014 10:59

Hi List,

I felt like writing / pointing this minor issue, as it as its
"Facebook" ...

This issue is due to the way facebook pictures are stored in CDN
without authentication mechanism, during accessing it. (which
would be way technically complicated to implement it)

Also, it is a Facebook feature that... if you have full path of
an image, you can pass it to anyone over the internet which they
can access it directly (and the facebook user should not have
unrealistic expectation to privacy. Hence, if someone can access
an image they can save/email it to others, anyway.)


POC:

( Please TEST it in a real profile, real world example and it
should work. I obviously changed the URL, POC below, to
gibberish "6549_16544614736_444444875_n.jpg" )

STEPS:

You could try this by :

- changing your own facebook profile picture viewable to "only
me", then bookmark your own Facebook profile and logout and clear
cache.

- or then try different browser with your own profile from
bookmark, without logging in to facebook!

- or pass your FB profile to a friend, with the following
instruction.

___

- then, in your browser, "Right click the Facebook profile image"
that you want to access in full resolution (that have ACL as
access to "only me" or "friends" ) > click "Copy image location"

paste it in notepad


sample url you will get (this link below is broken)

:[1]
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg





to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,

the url structure may be different, you just have to find and
remove this middle part...)

final modified url from above, which you can access the profile
picture in full resolution via your browser :

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg





Respectfully,

-bipin


_______________________________________________ Sent through the
Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
http://seclists.org/fulldisclosure/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTOwmQAAoJELegdynGqmmahBQQAIt2RgaoHbhPGwQiufr5JmJV
eKCvZPIIEuuiydMvvhXajRHsNDYE2uYiahEXRyTN3dzGYk3+ynHV9zVSpVzfUv6m
tYRegnHPG59ycZHfye5baYPvsDy/ZHEng/nfTOPHPILnwXpm6XJRgoYzjCoytg1f
GBPo6+OxTstiD09dGhQ1P6ZmP7ueDmXJIwpvCC99mjlgaa7fg3o1u8/DBoyhokzd
TptzM1xjEUdCOfLPqBn6OFhqdwluOTT89s0Dp5CIBzc9vdHjyCI9v/1G+UyPwxXO
PmFlGH9bNnsmk1N2dKDNK95jRhM731kbWca3YiCL/ooW2KVWBzfnRVYIfgVXyweV
jeCJvCRrsoHzcg33NH4rfL8wfhEw8zO6dF5DpRE+t6zhqzjsPUNbofJpZqr0682K
L/r0To0y0F/oYVmjFsQZcmpMYiyuYfSUKuU+qcRNxMK7bvTV/pmRdoGeCMXNQucx
2YA68GSnWARXU36XX6tEiLAJwkzWMULg21D0inLRrQT1jMPlR5xQIjE2pF8GVYwN
ZF0YFSrVWEPSxx2hXjsmLAkbJAuBSHQHIqEAb+4v3O+fIJRlD5V98NRH7Ra/9XX9
1XWXIFMTD8MboB0YBYPirKj+a29X0MldFyTZCtMyYOiNa3BdhwlpKAMbUZWFKyJW
I8refItlaTjLhAUCnyDy
=fudo
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: