Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction

From: William Reyor <opticfiber () gmail com>
Date: Thu, 3 Apr 2014 15:08:13 -0400
That's been on tracksomebody.com forever. See http://tracksomebody.com/?p=173

William Reyor
@wreyor


On Apr 3, 2014, at 12:07 PM, illwill <illwill () illmob org> wrote:

did you know the second section of the filename is the users actual
facebook user id?
6549_*16544614736*_444444875_n.jpg
https://www.facebook.com/profile.php?id=*16544614736

*
       -illwill
illwill () illmob org
http://illmob.org


On 4/1/2014 5:59 AM, Bipin Gautam wrote:
Hi List,

I felt like writing / pointing this minor issue, as it as its "Facebook" ...

This issue is due to the way facebook pictures are stored in CDN
without authentication mechanism, during accessing it. (which would be
way technically complicated to implement it)

Also, it is a Facebook feature that... if you have full path of an
image, you can pass it to anyone over the internet which they can
access it directly (and the facebook user should not have unrealistic
expectation to privacy. Hence, if someone can access an image they can
save/email it to others, anyway.)


POC:

( Please TEST it in a real profile, real world example and it should
work. I obviously changed the URL, POC below, to gibberish
"6549_16544614736_444444875_n.jpg" )

STEPS:

You could try this by :

- changing your own facebook profile picture viewable to "only me",
then bookmark your own Facebook profile and logout and clear cache.

- or then try different browser with your own profile from bookmark,
without logging in to facebook!

- or pass your FB profile to a friend, with the following instruction.

___

- then, in your browser, "Right click the Facebook profile image" that
you want to access in full resolution (that have ACL as access to
"only me" or "friends" ) > click "Copy image location" > paste it in
notepad

sample url you will get (this link below is broken)

:[1] 
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg


to remove from [1]: "/c0.18.160.160/p160x160"   (part; in other cases,
the url structure may be different, you just have to find and remove
this middle part...)

final modified url from above, which you can access the profile
picture in full resolution via your browser :

https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg


Respectfully,
-bipin


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: