Recently, I was fiddling around with things and found something which according to me seems a bug, but is not according to the Facebook .
So what I found that, the visibility/ privacy settings as in this picture can be overruled.

I have tried reporting this to the Facebook team and according to them this is no security bug, so I can safely post my report over here.
So, I was using the developer tools provided in Google Chrome. I asked my friend to change privacy setting of his profile picture such that all except me could see his image. Note: while a profile picture is visible to all when someone visits a person's profile, they only see the cropped portion of the profile picture. Only the people granted access can click on it to see the complete picture. Of course, this is what facebook claims or maybe we have deduced it incorrectly.
I used the DOM inspector to find the unique url of the profile picture as in the picture below
So, the unique url is the portion that i have scribbled with blank (:P) .
I copied this url. Now, I went to my own account, and clicked on the profile picture. Again using the DOM inspector, I found the common url. It turned out to be this (the part which is not scribbled):
I then replaced the scribbled part of this url with the scribbled part of the previous image.
And the result was, I could see the profile picture of my friend, not only the cropped part, the whole picture. Also going into incognito mode, I could still see it.
So according to me, this is incorrect and as mentioned above I reported this to facebook twice. But it seems I am wrong.. I'd like to hear your comments on this :)
EDIT:
Facebook offers an API to see the images as in here . However, the point to be noted there is :
So what I found that, the visibility/ privacy settings as in this picture can be overruled.
I have tried reporting this to the Facebook team and according to them this is no security bug, so I can safely post my report over here.
So, I was using the developer tools provided in Google Chrome. I asked my friend to change privacy setting of his profile picture such that all except me could see his image. Note: while a profile picture is visible to all when someone visits a person's profile, they only see the cropped portion of the profile picture. Only the people granted access can click on it to see the complete picture. Of course, this is what facebook claims or maybe we have deduced it incorrectly.
I used the DOM inspector to find the unique url of the profile picture as in the picture below
So, the unique url is the portion that i have scribbled with blank (:P) .
I copied this url. Now, I went to my own account, and clicked on the profile picture. Again using the DOM inspector, I found the common url. It turned out to be this (the part which is not scribbled):
I then replaced the scribbled part of this url with the scribbled part of the previous image.
And the result was, I could see the profile picture of my friend, not only the cropped part, the whole picture. Also going into incognito mode, I could still see it.
So according to me, this is incorrect and as mentioned above I reported this to facebook twice. But it seems I am wrong.. I'd like to hear your comments on this :)
EDIT:
Facebook offers an API to see the images as in here . However, the point to be noted there is :
Permissions
- Any valid access token for any photo with public privacy settings.
- For any photos uploaded by someone, and any photos in which they have been tagged - A user access token for that person with
user_photos
permission.
No comments:
Post a Comment