(Ab)Using Facebook Accessibility for Open Source Intelligence
Facebook has now become a need for urban people who spend time (a lot of it actually) to stay in contact with their old friends and also to add new friends. The people in rural areas are not spared from it - with the increase in its popularity and decrease in the cost of internet data plans, most of these people are on the process of creating their Facebook profiles (if not now, then in the near future). The small startup whose initial idea was to provide an online platform for socializing has now grown into a giant organization providing so many unimaginable and innovative products and features.
While it comes to Facebook users, from an online investigator point-of-view, each profile page has a huge pile of useful data which could reveal information like the likes, dislikes, emotional state, relationship status, location, frequently visited places, friends, family, etc of the person. So if the Facebook profile is visible to the public (I would rather say strangers), anyone could see your data and collect information (sometimes collect it against you).
Not every profile is authentic and also not every profile picture contains the image of the person. Nowadays profile pictures includes pictures of monuments, animals, birds and sometimes funny gifs. It is really waste of time during a fast investigation to have a look at the picture if they contain something other than human face. (If it is full length investigation, it is really important to have a look at the profile picture, as anything in the picture could give some information or insight about the target).
For command-line loving OSINT guys, who look the targets’ online profiles once in a blue moon, it would really be helpful if some tool could analyze the image and print its details so that the investigator could decide if it is worth having a look at the profile picture.
Guess what ? Facebook provides the information of every profile picture.
How did I find it ?
It was a regular day and I got a bit bored after I complete all my tasks. I was just browsing through the profiles of my Facebook friends. As my internet connection slowed down due to network error, a profile loaded without the profile picture. But something interesting struck my eyes.
There was some text behind the profile picture. Immediately right clicked to inspect the element and saw the following text:
<img class=”profilePic img” alt=”<Profile Name>’s profile photo, Image may contain: 1 person, close-up” src=”https://scontent.fblr1-1.fna.fbcdn.net/v/tx.x-x/xyxyxyx/xxxxxxxxxxxxxx.jpg?oh=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&oe=xxxxxxxx”>
OMG ! Facebook provided description of the profile picture.
What is it actually ?
After researching a bit I found that this feature is a part of Facebook Accessibility which is created to help blind people to know what the profile picture contains.
NOTE: It is not applicable for Facebook Pages. If a profile is not public, then you need to log in to your account and then view the image’s alt text.
Please look at the links provided at the References section.
Time to automate:
My initial script was straight forward.
So the output of my first script was:
<img alt=”<FB profile name><some random junk>” class=”profilePic img” src=”https://scontent.fblr1-1.fna.fbcdn.net/v/tx.x-x/xyxyxyx/xxxxxxxxxxxxxx.jpg?oh=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&oe=xxxxxxxx”/>
I didn’t get the expected text. It was replaced by <some random junk>. What just happened ?
Facebook is clever enough to detect this is a python script, because by default User-Agent of python-requests is : python-requests/2.9.1. So this time let me change the User-Agent.
Voila ! Got the expected output.
This script could be integrated into any Python tool to know the details of the profile picture of any publicly viewable Facebook profile.
Some Awesome Outputs:
See the picture description for the information
How does this help command-line lovers ?
As I had described earlier, sometimes profile pictures doesn’t contain human figures. So if I were in a fast investigation of the above three random people, it would really be of no use to have a look at the 3rd person’s profile picture. So the above script will give me details if there is a human figure in the picture and let me decide if it is worth seeing the profile picture.
References:
- How does alt text work ? : https://www.facebook.com/help/216219865403298
- Under the Hood: Facebook Accessibility : https://code.facebook.com/posts/727262460626945/under-the-hood-facebook-accessibility/
- DataSploit — One of the best command-line OSINT tools : https://github.com/DataSploit/datasploit
Thank you for reading this article. If you enjoyed it please click ❤ below to recommend it to other OSINT folks.
To know more about Open Source Intelligence tools on GitHub and get latest development updates, follow Hack with GitHub
Editors Note: Put a WEBGAP between you and the malware with a browser isolation technology or by leveraging a remote browser service.
