DingleBerries Posted February 23, 2009 Share Posted February 23, 2009 SORRY ABOUT THE SPELLING. Use this "exploit" to get started: [sic]http://photos-c.ak.fbcdn.net/n210132_34947682_4899.jpg All we need is the actual filename of the photo, and I’ve reverse-engineered the filename format as: [photo-size][uid]_[pid]_[PIN].jpg Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number. I’m calling it a PIN because it was chosen to be four decimal digits, which can only be assumed to have been done in a foolish analogy to bank card security. It’s easy to learn everything but the PIN given a public link to the photo. Brute-forcing the PIN is also fairly easy: it’s a space of 9000, which can be searched in about 45 minutes using one script. Now grab the Firefox addon "Download Them All". Open Download them all manager and click "Add URL(s)" Paste your targets URL string. EX: http://photos-c.ak.fbcdn.net/n210132_UID_[1:9999].jpg There you have it.. get at some famous people and try to sell the photo(bad i know but works). I have Lindsey Lohan and a few others....BTW facebook doesnt delete your photos when you cancel ;). UPDATE: point your downloads to http://photos-c.ak.fbcdn.net/photos-ak-sf2...32_UID_XXXX.jpg either took it down or are blocking my request! Quote Link to comment Share on other sites More sharing options...
shonen Posted February 23, 2009 Share Posted February 23, 2009 I personally have always hated facebook and the above just validates my hatred for all profile sites. Thats a great find dingle and I could see this as fun for messing with people I know IRL who use facebook. I get most of it bar the finding the 4 digit pin part, care to enlighten us n00bish type folk? In any case interesting reading and thanks for posting Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 23, 2009 Author Share Posted February 23, 2009 That didnt work... Yeah bummer but if you digg deep into the bowels of facebook theres some interesting stuff going on. What i did find though is that they did get smarter. Servers are split many ways in order to hide pictures.. Im looking over what source I have to kind of weasel my way around, but as of yet its not working. http://photos-[a:z].ak.fbcdn.net/photos-ak-snc1/v23[10:99]/[1:99]/[1:99]/RANDOM/ I dont have enough to go off of for the random part. I think it has to do with the users sid/uid. I did find out how to get the sid though facebook.com/ajax/search_profile.php?id=UID will print out a bunch of stuff.. interesting part is the sid. There are a few other mechanisms in place but I just started :P. Also. http://photos-h.ak.fbcdn.net/photos-ak-sf2...398215_2606.jpg Good part is the last directory is our user id. 726967925/n726967925_398215_2606.jpg And the second part is the album id /n726967925_398215_2606.jpg Its just finding out what the stuff in the begining means that matters. Quote Link to comment Share on other sites More sharing options...
shonen Posted February 23, 2009 Share Posted February 23, 2009 lol I kind of got lost with this part /v23[10:99]/[1:99]/[1:99]/RANDOM/ care to explain what the 1:99 are? Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 23, 2009 Author Share Posted February 23, 2009 Means 1-99 so it just counts up Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 25, 2009 Author Share Posted February 25, 2009 Bit of an update: http://profile.ak.facebook.com/profile[1:9]/nUSERID_4DIGITNUMBER.jpg so directories are linked. All that other stuff doesnt really matter. I am going to start a dump on a famous person and see if it work. If it does ill post pics and try to write some thing to exploit this... or just download wget and try yourself :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.