Facebook photos authorization bypass (yet another)

What happens when a programmer reinvents the wheel? From a security perspective, all kinds of bad stuff. Here is another report of authorization bypass for Facebook photos which can allow anyone (i.e. not those in your friend-network) to see your photos. The "secret" to getting to someone's photo?
[photo-size][uid]_[pid]_[PIN].jpg
Photo-size is just a character in the set {t, s, n} representing the resolution of the image, uid is the user ID of the user who uploaded the photo, pid is a photo ID, and PIN is a four-digit random number [which is actually not as random as it initially appears]
Src: Light Blue Touchpaper » Blog Archive » New Facebook Photo Hacks [Tx @innismir @kaospunk]

No comments: