Skip to main content

Facebook Photo.php Identity Spoofing Vulnerablity

Details#

I reported this vulnerability to Facebook Security Team in 2013 but received a response saying that "It does not appear to be a significant security risk." Though the vulnerability does not seem severe, it can be used to perform phishing attacks or defame people. However, it was finally fixed at a later date.

Facebook's photo.php file, which is used to show a page that displays an image or a video, accepts a SET parameter (photo.php?fbid=IMAGE_VIDEO_ID&set=TYPE.USER_FACEBOOK_ID). The value of the SET parameter is in the form of TYPE.USER_FACEBOOK_ID, where USER_FACEBOOK_ID is the facebook user id of the owner of the image/video and TYPE is a string with the following values (there might be more):

A. – AlbumT. – Timeline (ต้องอยู่ในFRIENDLISTถึงเรียกได้)PB. – Photo StreamGM. – Post in a groupVB – Video

The value of SET can be changed to set the "Back" links and the owner of the image/video in the page.

Example#

Consider the following url: https://www.facebook.com/photo.php?fbid=169099303296011&set=pb.4

The value of SET here is pb.4. pb means photo stream and 4 is Mark Zuckerberg's id. Hence, the album name is "Mark Zuckerberg's photos" and the "Back to Album" link is shown.

What we can do is now is to replace the value of fbid with some other image id or replace the value of set with something else like t.123456.