I was browsing pictures of a friend on Facebook. This friend has their privacy settings configured so that you have to be a friend to view them. I'm not able to share them, and even if I open a pic, copy the URL from the address bar, and share it with someone who is not their friend, they're unable to view it.
However, I found a flaw in that routine. If you open up such a picture just the same, then right-click the picture and choose "Copy Image URL" (may differ depending on browser), and share that copied URL, then other non-friends are able to view it.
Is this supposed to be possible? Or is this a security breach in Facebook?
EDIT
To be more specific, when I copy the image URL from the address bar, I get…
https://www.facebook.com/photo.php?fbid=xxxxxxxxxxxxxxxx
However, when right-clicking the picture and copying the image URL, I get…
https://scontent-b.xx.fbcdn.net/xxxxxxxxxxxxxxx
Best Answer
Yes it's supposed to be possible. Since the URL is a .jpg (e.g. https://scontent-a.xx.fbcdn.net/hphotos-ash4/309_60979110450_4203_n.jpg), you cannot filter its access based on your browser session.
Google+ pictures have the same behavior for instance. Here is a private photo in one of my G+ albums: https://lh3.googleusercontent.com/-LupTZHNd7bk/UkeMt9ANyvI/AAAAAAAApfI/9vCnBldf6UM/w1289-h967-no/20130928_221255.jpg
Gmail pictures are however really private. Notice the difference in the URL: https://mail.google.com/mail/u/0/?ui=2&ik=9b35d04bc1&view=att&th=1415c0ae407284ad&attid=0.1&disp=emb&realattid=ii_1415c0ac0763e031&zw&atsh=1