Jump to content

Facebook picture discluoser


DingleBerries

Recommended Posts

SORRY ABOUT THE SPELLING.

Use this "exploit" to get started:

[sic]http://photos-c.ak.fbcdn.net/n210132_34947682_4899.jpg

All we need is the actual filename of the photo, and I’ve reverse-engineered the filename format as:

[photo-size][uid]_[pid]_[PIN].jpg

Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number. I’m calling it a PIN because it was chosen to be four decimal digits, which can only be assumed to have been done in a foolish analogy to bank card security. It’s easy to learn everything but the PIN given a public link to the photo. Brute-forcing the PIN is also fairly easy: it’s a space of 9000, which can be searched in about 45 minutes using one script.

Now grab the Firefox addon "Download Them All".

Open Download them all manager and click "Add URL(s)"

Paste your targets URL string. EX:

http://photos-c.ak.fbcdn.net/n210132_UID_[1:9999].jpg

There you have it.. get at some famous people and try to sell the photo(bad i know but works). I have Lindsey Lohan and a few others....BTW facebook doesnt delete your photos when you cancel ;).

UPDATE: point your downloads to http://photos-c.ak.fbcdn.net/photos-ak-sf2...32_UID_XXXX.jpg

either took it down or are blocking my request!

Link to comment
Share on other sites

I personally have always hated facebook and the above just validates my hatred for all profile sites.

Thats a great find dingle and I could see this as fun for messing with people I know IRL who use facebook.

I get most of it bar the finding the 4 digit pin part, care to enlighten us n00bish type folk?

In any case interesting reading and thanks for posting

Link to comment
Share on other sites

That didnt work... Yeah bummer but if you digg deep into the bowels of facebook theres some interesting stuff going on.

What i did find though is that they did get smarter. Servers are split many ways in order to hide pictures.. Im looking over what source I have to kind of weasel my way around, but as of yet its not working.

http://photos-[a:z].ak.fbcdn.net/photos-ak-snc1/v23[10:99]/[1:99]/[1:99]/RANDOM/

I dont have enough to go off of for the random part. I think it has to do with the users sid/uid. I did find out how to get the sid though

facebook.com/ajax/search_profile.php?id=UID will print out a bunch of stuff.. interesting part is the sid. There are a few other mechanisms in place but I just started :P.

Also.

http://photos-h.ak.fbcdn.net/photos-ak-sf2...398215_2606.jpg

Good part is the last directory is our user id. 726967925/n726967925_398215_2606.jpg

And the second part is the album id /n726967925_398215_2606.jpg

Its just finding out what the stuff in the begining means that matters.

Link to comment
Share on other sites

Bit of an update:

http://profile.ak.facebook.com/profile[1:9]/nUSERID_4DIGITNUMBER.jpg

so directories are linked. All that other stuff doesnt really matter. I am going to start a dump on a famous person and see if it work. If it does ill post pics and try to write some thing to exploit this... or just download wget and try yourself :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...