The following is a mirror of the instructions found at this address:
http://www.cs.mun.ca/~davidc/photos.txt
Question: Why show you a facebook security exploit?
Answer: So you get scared, and do something about it.
Scenario: Your albums are completely open to be viewed by everyone, not just
people on your friends list. No programming or scripting is necessary. You can
do it all in seconds by hand.
Let me explain:
So we all know about the ‘View photos of Dave (140)’ link which appears under
your name in your profile. People can click on this link and they have
permissions to view pictures tagged of you, as long as they are your friend.
Seems reasonable, right? If a picture of your friend appears in someone else’s
album, even if you are not a friend of the person who took the photo, you can
see that one picture of your friend through this link.
For example. If you click on my profile, then photos of dave, and click the
first photo of me tagged by others, you will arrive at:
http://mun.facebook.com/photo.php?pid=1121004&op=1&view=all&subj=106500304&id=641290203
When you click on “NEXT”, you will be taken to the next chronologically
tagged picture of me. You have no access to the rest of the pictures in the
album from which that picture was taken, unless you are the taker’s friend,
right? Absolutely wrong.
First, we take a look at the way the URL string is formed for viewing photos:
http://mun.facebook.com/photo.php?
This tells facebook to load the photo.php page, onto which it will display
the picture which the arguments passed into the URL tell it to. Those
arguments (which matter) are as follows:
pid=1121004
The photo ID which facebook uses to store the photo in its databse. Not very important at this time.
&subj=106500304
This tells facebook that inside this photo is a tagged picture of 106500304,
which in this case happens to be me. Facebook stores you as a number, not a
name. Everything about you only has meaning inside this number. This number
gives you, as my friend, permission to see this photograph that has me tagged in it.
&id=641290203
This is the owner of the photograph. This photo is inside an album owned by
this person. You’d think the security lied inside this number… lol
So what you did when you typed the URL into the bar was say, hey facebook,
show me photo 1121004, which I have permission to view cause 106500304
is tagged in it, which 641290203 happens to own.
So lets try an experiment. Remove the “&subj=106500304” part from your
address bar, then hit ENTER. Congratulations, you hacker… you are now
inside that person’s album. Hitting the “NEXT” button will now allow you to
browse the entire album of that person, even if their profile name and album
name are grayed out. Why? Because apparently this is all it takes to switch
from ‘Looking at pictures of my friend Dave’ to ‘Looking at album in which
the picture is stored’.
So to repeat, the steps:
1) Find a picture your friend is tagged in
2) Remove the “&subj=XXXXXX” from the URL, hit enter
3) Click next, enjoy the album!
Leave a Reply
You must be logged in to post a comment.