Web Applications Asked on November 9, 2021
I was browsing pictures of a friend on Facebook. This friend has their privacy settings configured so that you have to be a friend to view them. I’m not able to share them, and even if I open a pic, copy the URL from the address bar, and share it with someone who is not their friend, they’re unable to view it.
However, I found a flaw in that routine. If you open up such a picture just the same, then right-click the picture and choose “Copy Image URL” (may differ depending on browser), and share that copied URL, then other non-friends are able to view it.
Is this supposed to be possible? Or is this a security breach in Facebook?
EDIT
To be more specific, when I copy the image URL from the address bar, I get…
https://www.facebook.com/photo.php?fbid=xxxxxxxxxxxxxxxx
However, when right-clicking the picture and copying the image URL, I get…
https://scontent-b.xx.fbcdn.net/xxxxxxxxxxxxxxx
It has to do with the way the respective application (Facebook in this case) works. Meaning that the pictures can be presented to the browser directly (i.e. using their HDD physical URL—your second URL example) or through a page/script that masks the physical location, as in your first URL example. So no, it’s not a flaw, it has more to do with speed and other things, as it’s easier (and faster) to point directly to the physical location of the respective file than to “form” it through a script.
Answered by Alex on November 9, 2021
Yes it's supposed to be possible. Since the URL is a .jpg (e.g. https://scontent-a.xx.fbcdn.net/hphotos-ash4/309_60979110450_4203_n.jpg), you cannot filter its access based on your browser session.
Google+ pictures have the same behavior for instance. Here is a private photo in one of my G+ albums: https://lh3.googleusercontent.com/-LupTZHNd7bk/UkeMt9ANyvI/AAAAAAAApfI/9vCnBldf6UM/w1289-h967-no/20130928_221255.jpg
Gmail pictures are however really private. Notice the difference in the URL: https://mail.google.com/mail/u/0/?ui=2&ik=9b35d04bc1&view=att&th=1415c0ae407284ad&attid=0.1&disp=emb&realattid=ii_1415c0ac0763e031&zw&atsh=1
Answered by Franck Dernoncourt on November 9, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP