I haven't verified, but isn't this how browser plugins like the following work?
https://chrome.google.com/webstore/detail/photo-zoom-for-facebook/elioihkkcdgakfbahdoddophfngopipi Haven't tried it myself, but it seems reasonable to think so. On Tue, Apr 1, 2014 at 11:59 AM, Bipin Gautam <bipin.gau...@gmail.com>wrote: > Hi List, > > I felt like writing / pointing this minor issue, as it as its "Facebook" > ... > > This issue is due to the way facebook pictures are stored in CDN > without authentication mechanism, during accessing it. (which would be > way technically complicated to implement it) > > Also, it is a Facebook feature that... if you have full path of an > image, you can pass it to anyone over the internet which they can > access it directly (and the facebook user should not have unrealistic > expectation to privacy. Hence, if someone can access an image they can > save/email it to others, anyway.) > > > POC: > > ( Please TEST it in a real profile, real world example and it should > work. I obviously changed the URL, POC below, to gibberish > "6549_16544614736_444444875_n.jpg" ) > > STEPS: > > You could try this by : > > - changing your own facebook profile picture viewable to "only me", > then bookmark your own Facebook profile and logout and clear cache. > > - or then try different browser with your own profile from bookmark, > without logging in to facebook! > > - or pass your FB profile to a friend, with the following instruction. > > ___ > > - then, in your browser, "Right click the Facebook profile image" that > you want to access in full resolution (that have ACL as access to > "only me" or "friends" ) > click "Copy image location" > paste it in > notepad > > sample url you will get (this link below is broken) > > :[1] > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg > > > to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, > the url structure may be different, you just have to find and remove > this middle part...) > > final modified url from above, which you can access the profile > picture in full resolution via your browser : > > > https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg > > > Respectfully, > -bipin > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
