26,180 reads

Bypassing Facebook Profile Picture Guard Security.

by Armaan PathanSeptember 9th, 2017

Too Long; Didn't Read

Facebook has recently introduced profile picture guard which which provides security against your profile picture and it also prevents security that your profile picture will not get misused.

Companies Mentioned

Facebook has recently introduced profile picture guard which which provides security against your profile picture and it also prevents security that your profile picture will not get misused.

So here is the Policy of the Profile Picture guard that how it secures profile picture if you use profile picture guard.

As you can see above that it has mentioned that

no one can

Download the Photo
Send in message
share it

But some how i was able to bypass this protection and was able to share the profile picture guard protected photos.

Here is the mind map of my attack, that how i was able to bypass the protection.

This is one of my friend’s profile picture which is protected with facebook profile picture guard

you will notice that there is no share & download option available in the photo so any user can not directly share this profile photo.

but as you can see in the URL bar there is a **fbid** parameter which is having some values.

now fbid contains the value of the id of the profile photo which is protected with profile picture guard.

So comming back to the basics.

facebook graph api works on 3 things

NODES ( things )
EDGES ( relation of things )
FIELDS ( value of things )

in this scenario the api was not validating ( authorising ) the relation between 2 nodes,

now which nodes?

USER & profile picture guard protected photo.

https://m.facebook.com/composer/mbasic/?c_src=share&referrer=permalink&target=%7BATTACKER_USER_ID%7D&sid=%7BVICTIM_PROFILE_PICTURE_ID%7D&m=self&exit_uri=https%3A%2F%2Fmbasic.facebook.com%2Fphoto.php%3Ffbid%3D%7BVICTIM_PROFILE_PICTURE_ID%7D%26set%3Da.125151660865930.11576.%7BATTACKER_USER_ID%7D%26type%3D1%26theater&cwevent=composer_entry&av=%7BATTACKER_USER_ID%7D&view_overview&ref_component=mbasic_photo_permalink_actionbar&ref_page=%2Fwap%2Fphoto.php&refid=13

i just generated the share link of my profile picture and replaced the my photo id with victim’s profile id & it has allowed me to share my victim’s profile picture guard protected photo which i was not allowed to.

I have reported to facebook about this issue, but they said that the profile pictures are public & bugs related to the profile picture are not eligible for reward. (SAD PART)

thanks for reading,

i hope you guys will like it.

have a great day.