exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Facebook Permanent Photo URIs

Facebook Permanent Photo URIs
Posted Jun 19, 2013
Authored by Joel Shoe

Facebook appears to suffer from a critical design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents private.

tags | advisory, info disclosure
SHA-256 | 0a29cfeb80463cd152ef5b3f1d86ba9355c1a6664476d861f177f8a3a82b52fa

Facebook Permanent Photo URIs

Change Mirror Download
On or around September 27, 2012 I disclosed to Facebook through https://www.facebook.com/whitehat/report/ a critical design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents private. You can succumb to the fact that those photos are breached, and only place photos in new albums as well.

Please note the following:
1) I don't care about the bounty, I would just like to see this fixed.
2) From initial disclosure to initial contact from Facebook took 13 days. Far longer than the same day fix for a previous issue I disclosed to Facebook.

Recommended fix:

1) Provide the user a way to regenerate this URI with a link: "Expire this URI"
2) Provide (or force) it as an option when changing their password
3) When Facebook believes an account has been accessed by someone else (there's a dialog for this) provide (or force) an option to change this URI

Emails from Facebook about this:

--snip--
10/09/12

Hi Joel,

Ack - it appears the external response got dropped (we're investigating what happened there). Incredibly sorry about the delay. We're actively working on this now to confirm if this is intentional behavior.

Thanks,

Alex
Security
Facebook

--------

--snip--
10/10/12

Hey Joel,

As you expected, the investigation here indeed revealed that this was "intentional" in the sense that it has always operated this way. The URIs generated by this feature were designed to be public and permanent. Our Photos team is currently collecting additional data on the usage of this feature to determine next steps as there are a few different options available. For your reference, we're tracking this as a security enhancement rather than a high-pri bug, which means we're likely looking at a resolution time of a several weeks. I'll keep you updated as the team reaches a decision on next steps.

Thanks,

Alex
Security
Facebook
--------

--snip--
10/29/12

Hi Joel,

The Photos team has decided that an option to invalidate existing links is ideal experience here. An engineer will begin building out the functionality shortly. Will keep you updated as time estimates solidify.

Thanks,

Alex
Security
Facebook

--------

--snip--
06/14/2013

Hi,

No that was separate, we have an engineer working on this fix but it is part of a larger rewrite so it is taking longer.

Thanks,

Emrakul
Security
Facebook
--------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close