Jump to content

Facebook picture discluoser


Recommended Posts


Use this "exploit" to get started:


All we need is the actual filename of the photo, and I’ve reverse-engineered the filename format as:


Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number. I’m calling it a PIN because it was chosen to be four decimal digits, which can only be assumed to have been done in a foolish analogy to bank card security. It’s easy to learn everything but the PIN given a public link to the photo. Brute-forcing the PIN is also fairly easy: it’s a space of 9000, which can be searched in about 45 minutes using one script.

Now grab the Firefox addon "Download Them All".

Open Download them all manager and click "Add URL(s)"

Paste your targets URL string. EX:


There you have it.. get at some famous people and try to sell the photo(bad i know but works). I have Lindsey Lohan and a few others....BTW facebook doesnt delete your photos when you cancel ;).

UPDATE: point your downloads to http://photos-c.ak.fbcdn.net/photos-ak-sf2...32_UID_XXXX.jpg

either took it down or are blocking my request!

Link to comment
Share on other sites

I personally have always hated facebook and the above just validates my hatred for all profile sites.

Thats a great find dingle and I could see this as fun for messing with people I know IRL who use facebook.

I get most of it bar the finding the 4 digit pin part, care to enlighten us n00bish type folk?

In any case interesting reading and thanks for posting

Link to comment
Share on other sites

That didnt work... Yeah bummer but if you digg deep into the bowels of facebook theres some interesting stuff going on.

What i did find though is that they did get smarter. Servers are split many ways in order to hide pictures.. Im looking over what source I have to kind of weasel my way around, but as of yet its not working.


I dont have enough to go off of for the random part. I think it has to do with the users sid/uid. I did find out how to get the sid though

facebook.com/ajax/search_profile.php?id=UID will print out a bunch of stuff.. interesting part is the sid. There are a few other mechanisms in place but I just started :P.



Good part is the last directory is our user id. 726967925/n726967925_398215_2606.jpg

And the second part is the album id /n726967925_398215_2606.jpg

Its just finding out what the stuff in the begining means that matters.

Link to comment
Share on other sites

Bit of an update:


so directories are linked. All that other stuff doesnt really matter. I am going to start a dump on a famous person and see if it work. If it does ill post pics and try to write some thing to exploit this... or just download wget and try yourself :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...