[funsec] Facebook Image Privacy

Imri Goldberg lorgandon at gmail.com
Sun Jan 17 14:26:58 CST 2010


On Sun, Jan 17, 2010 at 9:38 PM, Dan Kaminsky <dan at doxpara.com> wrote:

> It's a password to a single asset, which is retrieved in its entirety.  If
> you allow "omg, somebody could share the link" to be considered a security
> hole, then I can see the stories now...
>
> "OMG!  Save Picture!"
> "OMG!  Print Screen!"
> "OMG!  SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!"
>
> :)
>
>
This discussion got my interest piqued, so I did a small test.
Picture id's are sequential, and person-id's are already known. The secret
in this case is the l query parameter, which seems to be a 5 byte value. Two
sequential pictures don't get the same secret. The album also has a
different secret.

It seems you're right :)

Cheers,
Imri

(One minor point though: you can't change the secret as you would a regular
password, except by recreating an album, afaict).

-- 
Imri Goldberg
--------------------------------------
http://plnnr.com/ - automatic trip planning
http://www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20100117/08c2a63c/attachment.htm 


More information about the funsec mailing list