Current Exploit uses the mobile text application to pass images
http://www.facebook.com/connect/uiserver.php?app_id=2915120374
&method=stream_publish
&redirect_uri=http://www.facebook.com
&from=SENDERID
&target_id=RECEIVERID
&action_links=[{"text":"Your Text Here",
"href":"http://www.blank.com/"}]
&attachment={'media':[{'type':'image',
'src':'animationurl',
'href':'anyurl'}],
'description':'LongDescription',
'properties':{'Anything':{'text':'Anything',
'href':'anyurl'}}}
The only thing really needed is the animationurl, which needs to be a Facebook hosted image.
Click HERE to see an example of Facebook hosted image.
These are the ways that were previously possible
COMMENTS:
http://www.facebook.com/connect/uiserver.php?app_id=2915120374
&method=stream_publish
&redirect_uri=http://www.facebook.com
&from=SENDERID
&target_id=RECEIVERID
&action_links=[{"text":"Your Text Here",
"href":"http://www.blank.com/"}]
&attachment={'media':[{'type':'image',
'src':'animationurl',
'href':'anyurl'}],
'description':'LongDescription',
'properties':{'Anything':{'text':'Anything',
'href':'anyurl'}}}
The only thing really needed is the animationurl, which needs to be a Facebook hosted image.
Click HERE to see an example of Facebook hosted image.
These are the ways that were previously possible
- Changing filename to GIF
- Changing file dimensions to around 120 px to bypass compression
- Changing header data or adding bytes (example the ending 3B in the GIF data) to the end of the file to bypass Facebook image tools
- Via Facebook FBML
- Via Facebook HMTL tags in notes
The first working way seems to be somehow sharing the currently available set of gifs on Facebook servers via tagging users in it. I have not seen any new GIFs appear apart from those that currently circle around.
The second utilizes an abuse of the Facebook API via a Facebook Application. The developer hid the GIFs in a video embed preview.
Now, assuming one were to figure it out, you would be banned... because this means the image upload system is flawed and dangerous code can be executed by being concealed in a GIF or picture. It seems that Facebook Photo Team will ensure that GIFs do not stay around anymore.
This is the guy that prevents us from using [.gif] on facebook > Nathaniel Roman
And previously in the old Facebook Dev Wiki some of this may have changed by now but the gist remains the same
Facebook Platform handles img tags in a special manner. When publishing a page, Facebook servers request any image URLs and then serves these images, rewriting the src attribute of all img tags using a *.facebook.com domain. This protects the privacy of Facebook's users and allows them to better control the quality of service of their images.
There are several reasons for the existence of the image cache:
- We need a way to ensure some degree of quality and uniformity in the images displayed on users' profiles (no animated images, no 50 MB images, etc.)
- We need to protect users' privacy and not allow malicious applications to extract information from image requests made directly from a viewing user's browser
- Probably most important to you, the image cache shields developers from the potentially enormous load of serving these images, putting the burden on Facebook's resources instead
And in the end as I have mentioned elsewhere
Also although not stated anywhere in the TOS,
By uploading a file you certify that you have the right to distribute this picture and that it does not violate the Terms of Service
So you may get a pat on the back for testing on a Test User Account but using an exploit (if found) on a personal account. I am certain you will end up seeing a termination of your account.
P.S. Don't think because that when you are browsing sites that Facebook Employees do not see this information.
The moment an exploit is known publicly, in the same amount of time it will be shut down
P.S. Don't think because that when you are browsing sites that Facebook Employees do not see this information.
The moment an exploit is known publicly, in the same amount of time it will be shut down
COMMENTS:
Leave your comment
Post a Comment
You don't need ANY account or registration to comment here. Please drop your comments below to improve the quality of our posts. You can also give us suggestions and ask us about your problems.