Apparently, this issue was discovered earlier... http://flagdefenders.blogspot.com/2013/10/facebook-image-privacy-keep-calm-and-be.html
-coderaptor On Tue, Apr 1, 2014 at 1:23 PM, Ron <r...@skullsecurity.net> wrote: > By that same token, passwords, private keys, and any sort of signatures > should also be considered an issue. Sure, passwords are effectively > security by obscurity, but with enough entropy and the ability to detect > abuses, it's not an issue. > > So essentially, it's *maybe* a vulnerability in the academic sense, but > this is the real world. On that note, I was gonna put "in before > arbitrary file upload to youtube", but somebody else beat me to it. :) > > Ron > > On 2014-04-01 11:46, Eric Rand wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Security through obscurity is not security at all; if you are going to >> provide ACLs, then you have an ethical obligation to ensure that they >> do work regardless of the access path of the file. >> >> Compromising a facebook account and 'leaking' the image URLs for >> access by other persons provides a means of obscuring the path of >> leakage, thus compromising the capability of auditing the source of >> the breach. >> >> In cases where the breach violates the law, as per California's >> statutes against 'revenge porn' and the like, this directly inhibits >> the ability of police to investigate the breach. >> >> Accordingly, just as in the case of the AT&T "breach", Facebook is >> keeping data in a publicly accessible fashion that should not be >> publicly accessible. >> >> The best practices for these situations is to enforce ACLs by >> authenticating those users requesting a file to ensure that they are >> permitted to do so, instead of relying on knowledge of the URL as the >> authorization token. >> >> On 04/01/2014 07:49 AM, Philip Whitehouse wrote: >> > Again they need the URL. >> > >> > If you have a way to determine the URL of a specific user's profile >> > image from public info that would be a vulnerability. >> > >> > Simply the ability for a user or allowed visitor to copy the URL is >> > not. >> > >> > You can determine who can see the URL in your Facebook privacy >> > settings. >> > >> > Philip Whitehouse >> > >> > ----- Reply message ----- From: "Bipin Gautam" >> > <bipin.gau...@gmail.com> To: "Philip Whitehouse" >> > <phi...@whiuk.com> Cc: "fulldisclosure" >> > <fulldisclosure@seclists.org> Subject: Access anyone's Facebook >> > "profile picture" in full resolution regardless of the ACL >> > restriction Date: Tue, Apr 1, 2014 15:19 >> > >> > Hi, >> > >> > the POC is about "anyone being able to access anyone's facebook >> > profile picture in full resolution" + regardless of the ACL set to >> > their facebook profile picture (say; even when your profile >> > picture permission of your facebook is set as... viewable to "only >> > me" or "friends" ) ...anyone can see your full resolution profile >> > picture even without logging on to facebook with the following >> > method! >> > >> > (Assumption: maybe if you (your ISP?) are using CDN and someone in >> > your ISP / region have already viewed the profile picture and as it >> > is already fetched locally / cached in local CDN so, other party >> > can access it? Does CND have IP restriction for a region / ISP ? ) >> > >> > Try... it works for me, Make sense ? >> > >> > >> > On 4/1/14, Philip Whitehouse <phi...@whiuk.com> wrote: >> >> This is not a vulnerability. >> >> >> >> The image path is not predictable. Sharing the URL is by itself >> >> giving permission for the other party to see it. >> >> >> >> Even if it were possible to restrict access it could be >> >> circumvented by downloading it and emailing the file instead of >> >> the URL >> >> >> >> >> >> Philip Whitehouse >> >> >> >> ----- Reply message ----- From: "Bipin Gautam" >> >> <bipin.gau...@gmail.com> To: "fulldisclosure" >> >> <fulldisclosure@seclists.org> Subject: Access anyone's Facebook >> >> "profile picture" in full resolution regardless of the ACL >> >> restriction Date: Tue, Apr 1, 2014 10:59 >> >> >> >> Hi List, >> >> >> >> I felt like writing / pointing this minor issue, as it as its >> >> "Facebook" ... >> >> >> >> This issue is due to the way facebook pictures are stored in CDN >> >> without authentication mechanism, during accessing it. (which >> >> would be way technically complicated to implement it) >> >> >> >> Also, it is a Facebook feature that... if you have full path of >> >> an image, you can pass it to anyone over the internet which they >> >> can access it directly (and the facebook user should not have >> >> unrealistic expectation to privacy. Hence, if someone can access >> >> an image they can save/email it to others, anyway.) >> >> >> >> >> >> POC: >> >> >> >> ( Please TEST it in a real profile, real world example and it >> >> should work. I obviously changed the URL, POC below, to >> >> gibberish "6549_16544614736_444444875_n.jpg" ) >> >> >> >> STEPS: >> >> >> >> You could try this by : >> >> >> >> - changing your own facebook profile picture viewable to "only >> >> me", then bookmark your own Facebook profile and logout and clear >> >> cache. >> >> >> >> - or then try different browser with your own profile from >> >> bookmark, without logging in to facebook! >> >> >> >> - or pass your FB profile to a friend, with the following >> >> instruction. >> >> >> >> ___ >> >> >> >> - then, in your browser, "Right click the Facebook profile image" >> >> that you want to access in full resolution (that have ACL as >> >> access to "only me" or "friends" ) > click "Copy image location" >> >> > paste it in notepad >> >> >> >> sample url you will get (this link below is broken) >> >> >> >> :[1] >> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg >> >> >> >> >> >> >> >> >> to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, >> >> the url structure may be different, you just have to find and >> >> remove this middle part...) >> >> >> >> final modified url from above, which you can access the profile >> >> picture in full resolution via your browser : >> >> >> >> https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg >> >> >> >> >> >> >> >> >> Respectfully, >> >> -bipin >> > >> > _______________________________________________ Sent through the >> > Full Disclosure mailing list >> > http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: >> > http://seclists.org/fulldisclosure/ >> > >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ >> >> iQIcBAEBAgAGBQJTOwmQAAoJELegdynGqmmahBQQAIt2RgaoHbhPGwQiufr5JmJV >> eKCvZPIIEuuiydMvvhXajRHsNDYE2uYiahEXRyTN3dzGYk3+ynHV9zVSpVzfUv6m >> tYRegnHPG59ycZHfye5baYPvsDy/ZHEng/nfTOPHPILnwXpm6XJRgoYzjCoytg1f >> GBPo6+OxTstiD09dGhQ1P6ZmP7ueDmXJIwpvCC99mjlgaa7fg3o1u8/DBoyhokzd >> TptzM1xjEUdCOfLPqBn6OFhqdwluOTT89s0Dp5CIBzc9vdHjyCI9v/1G+UyPwxXO >> PmFlGH9bNnsmk1N2dKDNK95jRhM731kbWca3YiCL/ooW2KVWBzfnRVYIfgVXyweV >> jeCJvCRrsoHzcg33NH4rfL8wfhEw8zO6dF5DpRE+t6zhqzjsPUNbofJpZqr0682K >> L/r0To0y0F/oYVmjFsQZcmpMYiyuYfSUKuU+qcRNxMK7bvTV/pmRdoGeCMXNQucx >> 2YA68GSnWARXU36XX6tEiLAJwkzWMULg21D0inLRrQT1jMPlR5xQIjE2pF8GVYwN >> ZF0YFSrVWEPSxx2hXjsmLAkbJAuBSHQHIqEAb+4v3O+fIJRlD5V98NRH7Ra/9XX9 >> 1XWXIFMTD8MboB0YBYPirKj+a29X0MldFyTZCtMyYOiNa3BdhwlpKAMbUZWFKyJW >> I8refItlaTjLhAUCnyDy >> =fudo >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
