How Facebook pictures are organized internally.
**EDIT: The image used for test deletion is finally off the actual image hosting servers. Apparently, it takes around 5 days for a picture deleted from Facebook to be deleted from the servers. Thanks, Brian Kinney, for the tip.
1. Intro to Facebook Stalking - Pictures
- Gaurav Ragtah
When someone sends you a facebook image URL (ie. just the image opens in the browser, and nothing else), it looks something
like this:
https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-snc6/216083_10150177890751234_515006233_6971227_4935405_n.jpg
(you can get an image URL by right clicking on an image in facebook and selecting 'copy image URL')
Now, notice the part of the URL after the last '/' :216083_10150177890751234_515006233_6971227_4935405_n.jpg
There are five numbers here.
The first, fourth and fifth are timestamp generated by facebook when one uploads an image.
The second and third numbers, however, are the picture id and the user profile id (person who uploaded the image)
respectively.
So to see the actual image in the album context, plug in the 2nd number into
https://www.facebook.com/photo.php?fbid=
which in our case will be
https://www.facebook.com/photo.php?fbid=10150177890751234
AND
to see the user profile of the person who uploaded the picture, plug in the 3rd number from the image URL into
https://www.facebook.com/profile.php?id=
which in our case will be
https://www.facebook.com/profile.php?id=515006233
VOILA!! ;)
Happy facebook-ing.
Read on:
Now, a bruteforce script can be easily written to generate timestamps to plug-in for the Image URLs so that you can possibly view
and download private images from someone's profile that you cannot view directly through facebook. (There is literature on the
web about that, about how to do it and how it's easier to bruteforce for timestamps than for truly randomly generated numbers
which facebook did not implement)
Some facebook pictures that you upload and later delete/ set to private still exist on facebook's 3rd party servers and can still be
viewed by the image URL links; further, they can be traced down to who uploaded them.
As a test, I uploaded an image, took note of its image URL and then deleted it from facebook. The image is still out
there in the image hosting servers as you can see here:
https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/321248_10150325810871234_515006233_8188580_1724070261_n.jpg
So, as a general rule, don't upload stuff you wouldn't be very uncomfortable with if made public.
- Gaurav
Note: This doesn't work for images uploaded prior to late 2009 or so, I think, since Facebook slightly changed the way the images
were organized on their storage servers.