Again they need the URL. If you have a way to determine the URL of a specific user's profile image from public info that would be a vulnerability.
Simply the ability for a user or allowed visitor to copy the URL is not. You can determine who can see the URL in your Facebook privacy settings. Philip Whitehouse ----- Reply message ----- From: "Bipin Gautam" <bipin.gau...@gmail.com> To: "Philip Whitehouse" <phi...@whiuk.com> Cc: "fulldisclosure" <fulldisclosure@seclists.org> Subject: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Date: Tue, Apr 1, 2014 15:19 Hi, the POC is about "anyone being able to access anyone's facebook profile picture in full resolution" + regardless of the ACL set to their facebook profile picture (say; even when your profile picture permission of your facebook is set as... viewable to "only me" or "friends" ) ...anyone can see your full resolution profile picture even without logging on to facebook with the following method! (Assumption: maybe if you (your ISP?) are using CDN and someone in your ISP / region have already viewed the profile picture and as it is already fetched locally / cached in local CDN so, other party can access it? Does CND have IP restriction for a region / ISP ? ) Try... it works for me, Make sense ? On 4/1/14, Philip Whitehouse <phi...@whiuk.com> wrote: > This is not a vulnerability. > > The image path is not predictable. Sharing the URL is by itself giving > permission for the other party to see it. > > Even if it were possible to restrict access it could be circumvented by > downloading it and emailing the file instead of the URL > > > Philip Whitehouse > > ----- Reply message ----- > From: "Bipin Gautam" <bipin.gau...@gmail.com> > To: "fulldisclosure" <fulldisclosure@seclists.org> > Subject: Access anyone's Facebook "profile picture" in full resolution > regardless of the ACL restriction > Date: Tue, Apr 1, 2014 10:59 > > Hi List, > > I felt like writing / pointing this minor issue, as it as its "Facebook" ... > > This issue is due to the way facebook pictures are stored in CDN > without authentication mechanism, during accessing it. (which would be > way technically complicated to implement it) > > Also, it is a Facebook feature that... if you have full path of an > image, you can pass it to anyone over the internet which they can > access it directly (and the facebook user should not have unrealistic > expectation to privacy. Hence, if someone can access an image they can > save/email it to others, anyway.) > > > POC: > > ( Please TEST it in a real profile, real world example and it should > work. I obviously changed the URL, POC below, to gibberish > "6549_16544614736_444444875_n.jpg" ) > > STEPS: > > You could try this by : > > - changing your own facebook profile picture viewable to "only me", > then bookmark your own Facebook profile and logout and clear cache. > > - or then try different browser with your own profile from bookmark, > without logging in to facebook! > > - or pass your FB profile to a friend, with the following instruction. > > ___ > > - then, in your browser, "Right click the Facebook profile image" that > you want to access in full resolution (that have ACL as access to > "only me" or "friends" ) > click "Copy image location" > paste it in > notepad > > sample url you will get (this link below is broken) > > :[1] > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg > > > to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, > the url structure may be different, you just have to find and remove > this middle part...) > > final modified url from above, which you can access the profile > picture in full resolution via your browser : > > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg > > > Respectfully, > -bipin _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
