Facebook has recently introduced profile picture guard which which provides security against your profile picture and it also prevents security that your profile picture will not get misused. So here is the Policy of the Profile Picture guard that how it secures profile picture if you use profile picture guard. As you can see above that it has mentioned that no one can Download the Photo Send in message share it But some how i was able to bypass this protection and was able to share the profile picture guard protected photos. Here is the mind map of my attack, that how i was able to bypass the protection. This is one of my friend’s profile picture which is protected with facebook profile picture guard you will notice that there is no share & download option available in the photo so any user can not directly share this profile photo. but as you can see in the URL bar there is a **fbid** parameter which is having some values. now fbid contains the value of the id of the profile photo which is protected with profile picture guard. So comming back to the basics. facebook graph api works on 3 things NODES ( things ) EDGES ( relation of things ) FIELDS ( value of things ) in this scenario the api was not validating ( authorising ) the relation between 2 nodes, now which nodes? USER & profile picture guard protected photo. h ttps://m.facebook.com/composer/mbasic/?c_src=share&referrer=permalink&target=%7BATTACKER_USER_ID%7D&sid=%7BVICTIM_PROFILE_PICTURE_ID%7D&m=self&exit_uri=https%3A%2F%2Fmbasic.facebook.com%2Fphoto.php%3Ffbid%3D%7BVICTIM_PROFILE_PICTURE_ID%7D%26set%3Da.125151660865930.11576.%7BATTACKER_USER_ID%7D%26type%3D1%26theater&cwevent=composer_entry&av=%7BATTACKER_USER_ID%7D&view_overview&ref_component=mbasic_photo_permalink_actionbar&ref_page=%2Fwap%2Fphoto.php&refid=13 i just generated the share link of my profile picture and replaced the my photo id with victim’s profile id & it has allowed me to share my victim’s profile picture guard protected photo which i was not allowed to. I have reported to facebook about this issue, but they said that the profile pictures are public & bugs related to the profile picture are not eligible for reward. (SAD PART) thanks for reading, i hope you guys will like it. have a great day.

Facebook

Target

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

Bypassing Facebook Profile Picture Guard Security.

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

#10 Rules of Bug Bounty

A Guide To Web Security Testing: Part 1 - Mapping Contents

A Guide To Web Security Testing: Part 2 - Analyze the Web Application

Bounty0x Is Here To Change The Way People Make Money With Cryptos

Bug Bounties and Penetration Testing Will NOT Be Made Obsolete Anytime Soon.

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps