I was creating a presentation last week covering the security risks and weaknesses of social networking websites and I found a few interesting things. The most interesting flaw I found was the poor control around access to users photo albums on Facebook, not the worlds biggest hack by a long way but still interesting.
I contacted Facebook last Thursday and I never received a response so I felt it was time to post the full details on my blog. I think most Facebook users would know that you can give a public URL to every photo and album you upload so that non Facebook users can view them. I wondered if we could exploit this somehow to allow us to access any users photos and albums without being their friends, without being in groups with them, have friends who are friends with them etc etc I found out it is possible! All you have to do is perform a search, hover over the “add friend” link, fire up the Burp Suite and sit back and wait for the photos!
So thats it really, its very simple to carryout this hack and access anyones profile picture album. But the title of this blog post is “Access any album on any Facebook profile” not just accessing one album.
To access any album you just need to do the same as we have above but change the aid= to §§ in the Burp Suite as well and use another custom iterator using 0123456789 and always 5 characters in length. It will obviously take longer than the first hack because we are forcing two values instead of one but it will give you access to any album on any Facebook profile.