Today I am going to talk about one such exploit:

How to view albums of people who are not your friends?

So when we search for interesting people on Facebook most of the time you will find their profile having restrictions. Mostly you will be able to see their profile photo and will be able to send message to them. So to see their full profile or albums we have to send “add friend” request and if they approve then and then only we can see their photos and profile.

But here is one way to bypass this:

First you have to add developers application in Facebook which can be added from following link:

Link:  http://www.facebook.com/developers/?ref=sb

Then go to this link

http://developers.facebook.com/tools.php

It will open below page and choose you response formate and also method = photos.getalbum as shown in below image.

So after that enter facebook user id whose photos you want to see, in “uid text box” as shown in below image and then press “call method button”.

Get the facebook id from the address bar/url bar or find the “add as a friend” link in the web page and move your mouse cursor over it and you will get facebook id in the status bar as shown in image.

And you will get details of all the albums of that user if he or she have albums as shown in below image in right side box.

Just you have to copy link content from right box and paste it to another browser or tab and press enter and then you can see all photos from that album without adding the user as a friend.

Note: I have changed all the ids they are not real.

I hope with the help of this article and community, facebook will notice this bug and will resolve it.

So enjoy peeking on stranger’s albums.

Update: It seems that Facebook has resolved this bug now.

Let us start our discussion with a brief outline on the sequence of events are as far as authentication and authorization are concerned when a new request comes in. When a new request arrives at IIS, it first checks the validity of the incoming request. If the authentication mode is anonymous (default) then the request is authenticated automatically. But if the authentication mode is overridden in the web.config file settings, IIS performs the specified authentication check before the request is passed on to ASP.NET.

Authentication

Authentication determines whether a user is valid or not based on the user’s credentials. Note that a user can be authorized to access the resources provided the user is an authenticated user. The application’s web.config file contains all of the configuration settings for an ASP.NET application. An authentication provider is used to prove the identity of the users in a system. There are three ways to authenticate a user in ASP.NET:

Forms authentication
Windows authentication
Passport authentication
 

Forms Authentication

This is based on cookies where the user name and the password are stored either in a text file or a database. It supports both session and persistent cookies. After a user is authenticated, the user’s credentials are stored in a cookie for use in that session. When the user has not logged in and requests for a page that is secured, he or she is redirected to the login page of the application. The following code snippet illustrates how this can be implemented in ASP.NET.

<configuration>
<system.web>
<authentication mode=”Forms”/>
<forms name=”LoginForm” loginUrl=”LoginForm.aspx” />
<authorization>
<deny users=”?”/>
</authorization>
</system.web>
</configuration>

Windows Authentication

Windows Authentication is used to validate a user based on the user’s Windows Account; however, this is only applicable in intranet environments where the administrator has full control over the users in the network. The following code snippet illustrates how we can implement Windows Authentication in ASP.NET.

<authentication mode=”Windows”/>
<authorization>
<allow users =”*” />
</authorization>
 

Passport Authentication

Passport authentication is a centralized authentication service that uses Microsoft’s Passport Service to authenticate the users of an application. It allows the users to create a single sign-in name and password to access any site that has implemented the Passport single sign-in (SSI) service. The following code snippet illustrates how we can implement Passport Authentication in ASP.NET.

<configuration>
<system.web>
<authenticationmode=”Passport”>
<passportredirectUrl=”LoginForm.aspx” />
</authentication>
<authorization>
<deny users=”?” />
</authorization>
</system.web>
</configuration>

Authorization

Authorization is the process of determining the accessibility to a resource for a previously authenticated user. Note that authorization can only work on authenticated users, hence ensuring that no un-authenticated user can access the application. The syntax for specifying authorization in ASP.NET is as follows.

<authorization>
< [ allow | deny ] [ users ] [ roles ] [ verbs ] />
</authorization>
In ASP.NET, there are the following types of authorizations.

URL Authorization
File Authorization
Authorization based on ACL (Access Control List)
 

Impersonation

According to MSDN, “When using impersonation, ASP.NET applications can optionally execute with the identity of the client on whose behalf they are operating. The usual reason for doing this is to avoid dealing with authentication and authorization issues in the ASP.NET application code. Instead, you rely on Microsoft Internet Information Services (IIS) to authenticate the user and either pass an authenticated token to the ASP.NET application or, if unable to authenticate the user, pass an unauthenticated token. In either case, the ASP.NET application impersonates whichever token is received if impersonation is enabled. The ASP.NET application, now impersonating the client, then relies on the settings in the NTFS directories and files to allow it to gain access, or not. Be sure to format the server file space as NTFS, so that access permissions can be set”.

Note that Impersonation is disabled by default and can be specified in the web.config file as shown in the code snippet given below.

<identity impersonate=”true”/>
or
<identity impersonate=”false”/>

To impersonate a particular identity, specify the following in your application’s web.config file.

<identity impersonate=”true” username=”joydip” password=”jude”/>