Facebook Lied : A Facebook Feature Which Kills Another Feature
#security#awareness#facebook#india
Palash Bauri 👻

Palash Bauri 👻 @bauripalash

About: Your Friendly Neighbourhood 👨‍💻 Scientist , 🛠 Inventor, 📝 Writer. 2018 Google Code-in Finalist , Story Writer. Doing Some 🔭 Radio Astronomy.

Location:
India
Joined:
Aug 16, 2018

Facebook Lied : A Facebook Feature Which Kills Another Feature

Publish Date: Dec 19 '18
43 15

Facebook, Facebook , Facebook.... 2018 was not quite a Happy Year for Facebook.. Though I'm not here talk about those.

Today I'll talk about a facebook features which is totally killing another feature. So without further talking let's jump into the main content..

I'll keep it short and simple...

Back in 2017 , Facebook introduced Profile Picture Guard for indian users to secure their photos from misuse.
[Source]

When Profile Picture Guard Turned on a Profile , other users will not be able to download images from that profile and blue border appears on the profile picture :

And on the bottom you'll not see any View Full Size Option

No Download Options

Wait...!! I forgot One Thing, According The Claim , Facebook should be preventing users from taking screenshot, But where is the feature?😑

Now , Leave that for now, there's already a Facebook Feature which we can use to download anybody's profile picture bypassing the so-called Profile Picture Guard

So , Let's take a Look at How We Can Download a Profile Picture with Profile Picture Guard turned on.

First Thing We'll need is Victim's , I mean target's Numerical Profile ID (or whatever it's called)
We can extract target's Numerical Profile ID with https://findmyfbid.in/ if profile id isn't visible and has username such as bauripalash , abcd etc..

Now visit
https://graph.facebook.com/USERNAME/picture?width=800 and replace USERNAME with target's Numerical Profile ID

Now You'll See The Profile Picture of The Target User Will Be Shown and Also available for Download

Now! My Question is, Is Facebook Fooling Us , Indians? 😡

They Day when I found this, I reported that to Facebook Whitehat Program. At first I thought, There must be some authentication or api key system and maybe it's broken somehow!
After few days , I got reply from a staff , In Summary , he said

Thanks for your report, but we do not consider capturing a public image from the web to be eligible for a bounty under our program.
...
It’s important to remember the profile picture is always public. The feature you mentioned is a pilot test to see how these tools can help people have better control over how other people engage with their profile picture on Facebook.
...

I mean 😑 anybody can download a so-called Guarded Profile Picture. Then what's the use of Profile Picture Guard? Just A Fancy Blue Border! 😓

Disclaimer : I , Palash Bauri or Dev.to is not Responsible for any damage done with the methods mentioned here. This article is only for educational and awareness purposes

If You Like My Work (My Articles, Stories, Softwares, Researches and many more) Consider Buying Me A Coffee ☕ 🤗

Comments 15 total

  • Tobias SN
    Tobias SNDec 19, 2018

    I wouldn’t be surprised if they’re just playing stupid to avoid paying a bounty.

    • Palash Bauri 👻
      Palash Bauri 👻Dec 19, 2018

      Their Arrogance will drown them!😑

    • Brian Brewder
      Brian BrewderDec 19, 2018

      It is highly likely that everybody on the team that built this feature knew full well that there was no way to truly protect the photo before even a single line of code was written for it. The fact the photo was downloaded to the browser means it could be retrieved by a determined user.

      I'm curious to know why this feature was even created. Is profile photo stealing a thing? What would somebody do with it? I've got to believe anybody that is stealing photos for nefarious reasons (whatever that might be) would figure out how to get around whatever limitations FB implemented.

      • Palash Bauri 👻
        Palash Bauri 👻Dec 20, 2018

        That's my point, when they know profile pictures can't be protected, then why fool people with a fancy blue border?😡

      • Guney Ozsan
        Guney OzsanDec 20, 2018

        They could serve low-res and protect hi-res version.

        There should be some local problem. Different strange things happen around the globe.

  • Basti Ortiz
    Basti OrtizDec 19, 2018

    I wouldn't say Facebook is "fooling" you per se. I think it's just a matter of perspective: the user and the developer.

    I feel like the "Profile Picture Guard" is really only there to "guard" against the not-so-tech-savvy people. I mean I could easily open up the DevTools to pull in the link for somebody's Facebook (or any other social media) profile picture. For the common user, they wouldn't even know that the DevTools existed. Since most of the world are not as familiar of web technologies as we—the developers—are, then yes, you could say that Facebook is fooling the developers. Otherwise, for the normal user, they are not exactly being "fooled" because most of the world is not even aware of the fact that you can pull in profile pictures yourself. The "Profile Picture Guard" acts as a pseudo-guard against the normal users.

    In conclusion, the "Profile Picture Guard" is indeed protecting you from the normal users, which constitute most of the world. With that said, Facebook is not exactly fooling anyone but the developers.

    Yes, one can argue that the users are also being fooled by extension if the developers are also fooled. On that note, then sure, Facebook is in fact fooling everyone with the feature. However, I wouldn't see it as a big deal. The user did upload their picture to the Web. It has to be expected that anything that comes into the Web can never be taken back. There is no magic undo button. It just comes with the fact that the user "agreed" to the Terms and Conditions and the Privacy Policy of Facebook upon the creation of their account. At that moment, the user surrendered their rights to have a say on what can be done with their profile pictures.

    • Palash Bauri 👻
      Palash Bauri 👻Dec 19, 2018

      I agree, but now about 100 people know how to get somebody's Guarded Profile Picture so easily

      • Ben Sinclair
        Ben SinclairDec 19, 2018

        I would imagine the number of people who could get someone's profile picture within a minute numbers in the millions.

  • Ben Halpern
    Ben HalpernDec 19, 2018

    This comes on the same day it's revealed that Facebook sold Netflix and Spotify info about private DM conversations.

    Very hard to give them the benefit of doubt on any of this.

    • Palash Bauri 👻
      Palash Bauri 👻Dec 19, 2018

      I don't understand how a person can sleep at night selling another person's privacy! 😓

  • Yoandy Rodriguez Martinez
    Yoandy Rodriguez MartinezDec 19, 2018

    Solid and beautiful article, I was translating DDHH report on Basecamp's outage for a friend and I remember her surprise on the fact that a CEO was "taking the fall" for the whole company. We need more of that, and we need it now!

  • Darkø Tasevski
    Darkø TasevskiDec 19, 2018

    If you care that much about privacy why are you using FB in the first place? They are not really known for being user privacy oriented corp... If someone cares that much about their pics being used in a malicious way, they wouldn't share them publicly, right? I'm not that familiar why is this specific to India but once you put something on the internet there is not much you can do about it, and skillful (or enough motivated) people will always find a way to get this kind of data that is at the end publicly available on the client side of the application.

    • Palash Bauri 👻
      Palash Bauri 👻Dec 20, 2018

      I agree! I think, Parents should stop their kids from using these, explaining what's the scene in facebook..
      In my locality (And Most Of India) Facebook, Instagram and now the-Tiktok-thing has become kind of fashion item 😑

  • ComputerSmiths
    ComputerSmithsDec 20, 2018

    As Some Dood said, there are a bunch of ways of getting around this, from pulling the image off the webpage source to screen capture to photographing your monitor. One wonders why they even tried.

    On the other hand, I’m shocked to learn Facebook lied! No, wait, the other thing.

  • Michael "notriddle" Howell
    Michael "notriddle" HowellDec 20, 2018

    Reminds me of an article about Quora and their attitude towards The Internet Archive. quora.com/robots.txt

    # People share a lot of sensitive material on Quora - controversial political
# views, workplace gossip and compensation, and negative opinions held of
# companies. Over many years, as they change jobs or change their views, it is
# important that they can delete or anonymize their previously-written answers.
# 
# We opt out of the wayback machine because inclusion would allow people to
# discover the identity of authors who had written sensitive answers publicly and
# later had made them anonymous, and because it would prevent authors from being
# able to remove their content from the internet if they change their mind about
# publishing it. As far as we can tell, there is no way for sites to selectively
# programmatically remove content from the archive and so this is the only way
# for us to protect writers. If they open up an API where we can remove content
# from the archive when authors remove it from Quora, but leave the rest of the
# content archived, we would be happy to opt back in. See the page here:
# 
# https://archive.org/about/exclude.php
# 
# Meanwhile, if you are looking for an older version of any content on Quora, we
# have full edit history tracked and accessible in product (with the exception of
# content that has been removed by the author). You can generally access this by
# clicking on timestamps, or by appending "/log" to the URL of any content page.
# 
# For any questions or feedback about this please email robotstxt@quora.com.

    Because adding a line to your robots.txt is totally going to make mirroring the site impossible.

Add comment