Hacker News new | ask | show | jobs
by JSadowski 4855 days ago
No way to fix it? Not that they should, but Facebook could just stop redirecting www.facebook.com/profile.php to www.facebook.com/<username>

By making that change (and having no other way to hit a page that redirects to my user page), there is no URL for the attacker to check against.
2 comments
blakel 4855 days ago
That probably breaks links though.
link
grey-area 4854 days ago
Who needs to link to the current user's profile page without knowing it? Only FB should have to do that and they know the profile page url. Other people should be linking to the profile page directly only if they know it, not based on which user is viewing. They should really have two profile URLs:

http://facebook.com/profile.php - private profile, no redirect

http://facebook.com/some.user.name - public profile (profile.php?id=123 could redirect here given an id so as not to break old links)

To fix this FB could stop doing this redirect entirely as it leaks information about the current user's session, and should not be necessary. I'm sure it'll break someone's links, somewhere, but it was a bad idea to begin with, and related is this old trick which let's you view a very popular profile:

http://facebook.com/profile.php?=112398345098345

All that should be required is a public profile url which can be shared (if you wish) or not, and a private profile url, and the url of the private profile should be generic and not redirected, so that it doesn't leak info in this way, and because it's not the same as a public profile anyway.

link
nadaviv 4854 days ago
The problem with that is that different people viewing the same URL (/profile.php) gets a different resource. What happens if someone gives a link to his profile.php over IM or something, expecting it to show his own profile? The URL the user is shown in the address bar should represent the current resource being viewed.

A better solution could be to replace links to profile.php with direct links to the real profile URL, and just kill that profile.php redirection.

link
grey-area 4854 days ago
In the same way that different people viewing:

http://facebook.com/

see a different resource? For a web app like FB I don't think this avoidable. All data served is dependent on who you are when you are logged in.

For another example of how to handle this better, see twitter:

twitter.com - the user's feed, content differs for each user

twitter.com/username - the user's public url, for sharing, a proper URI which everyone can use

twitter.com/settings/profile - the user's private profile, content differs for each user

I agree they shouldn't need that redirection with no id supplied and I suspect it's just a legacy of the original way of showing profiles (profile.php?id=n), they could just redirect it to root instead (shows the same as profile.php it seems) to avoid leaking state.

link
homakov 4854 days ago
FB is only showcase

for example Single sign on and OAuth2 redirect you to path?code=.. and it's also guessable

link
homakov 4855 days ago
they probably need this functionality..
link