photostalker and photos privacy

[CornellWeasel]

So, I have my real FB's photos privacy set to "everyone" (under Settings > Applications Settings), and most individual albums (under Privacy > Photos) set to "friends only," with 2 albums sent to "everyone." (Previously, I had all albums set to friends only, but changed the settings to "everyone" for the 2 albums so that I could test the accuracy of photostalker).

Thing is that, even though my general settings for the photos are public, photostalker still cannot access the public albums. Any idea why?

I don't exactly need to make those photos public, as my profile is private anyway. I'm just curious as to why that app can't access two albums that are public.

[Angry Johnny]

So, I have my real FB's photos privacy set to "everyone" (under Settings > Applications Settings), and most individual albums (under Privacy > Photos) set to "friends only," with 2 albums sent to "everyone." (Previously, I had all albums set to friends only, but changed the settings to "everyone" for the 2 albums so that I could test the accuracy of photostalker).

Thing is that, even though my general settings for the photos are public, photostalker still cannot access the public albums. Any idea why?

I don't exactly need to make those photos public, as my profile is private anyway. I'm just curious as to why that app can't access two albums that are public.

I think it has to do with the last part: your profile is private.  It can catch it on 'non' private facebooks, but not private.  At least, that's what I thought I read.  Been a month or so since I used the app, though.

[CornellWeasel]

One of my targets just went private not too long ago, but I can access his/her photos through the app. That's the reason I wanted to understand why my profile is not accessing my public photos as well.

[Angry Johnny]

don't know what to say, then.  I could conjecture, but, I didn't make the app, so anything I may say could be wrong.  Could also, very well, be it won't work on 'you' specifically, as in, if you try to view yourself through your actual profile, it may not work...curious, how private are we talking here, anyways?  I keep mine private to an extent, but reopened it as I have nothing too problematic on there.

[roxyb]

I found a fusker program the other day called navnet [navnetapp (dot) com.]  It supposedly can fusker photobucket and facebook for photos.  Has anyone used it?

[Jewels]

There are several posts around the forum for fuskering with navnet

[roxyb]

Thanks.  I'll go look.

[CornellWeasel]

don't know what to say, then.  I could conjecture, but, I didn't make the app, so anything I may say could be wrong.  Could also, very well, be it won't work on 'you' specifically, as in, if you try to view yourself through your actual profile, it may not work...curious, how private are we talking here, anyways?  I keep mine private to an extent, but reopened it as I have nothing too problematic on there.

I was checking my own picts through a fake profile (so, I'd login to fake, then look up my real profile to get the friend ID, and then input that ID to the app).

My profile can be viewed by friends only; my list of friends can also be viewed by friends only. I tried changing my list of friends to be viewed by everyone (in case that privacy setting was the one affecting how the app works), but that didn't work either. I keep my profile private in part because I want to frustrate the heck out of targets if they find me. LOL.

Hey AJ, speaking of this app, do you know if anyone has posted a method of accessing target's public albums after getting the IDs through the app? Cuz if no one has, then I'll do it.

[roxyb]

I figured out the program.    Is there a way to fusker using an album ID?  I've searched but couldn't find anything.  Thanks.

[Angry Johnny]

don't know if anyone has posted a 'true' method, with all the changes recently.  I got sent an email from roxy, which, if she wants, she can post the link (uses burp suite), which shows how to brute force a random code (which I actually found to be unnecessary).  I know using the subj= command you can find all the album ids and maybe access the albums (have to figure a way around that).

[CornellWeasel]

Seems my method is easier than the more complex (i.e., scary, for me anyway) things that's probably involved with Roxy's method. And just so no one gets his/her hopes up, what I'm talking about is just a method of viewing a full PUBLIC album on a private profile, after getting one of the photo URL links from Photostalker.

One of the benefits of my method (can I even call it "mine"?? I bet someone else's been doing this forever before me...), though not a breakthrough in codes or anything, is that it allows you to read comments because the album itself is accessed.

So, I guess I'll post it in a few min.

[roxyb]

don't know if anyone has posted a 'true' method, with all the changes recently.  I got sent an email from roxy, which, if she wants, she can post the link (uses burp suite), which shows how to brute force a random code (which I actually found to be unnecessary).  I know using the subj= command you can find all the album ids and maybe access the albums (have to figure a way around that).

Thanks for your help!  The method I found is at: http://securityninja.co.uk/blog/?p=198  I noticed public albums don't have an &l##### after them, so maybe that can be worked with.  I was wondering if fuskering would work to get in, like if someone took: album.php?aid=XXXX&id=XXXX&l#####.   Or can you find an album's &l part anyway?   I'm not sure how to fusker a link like that, burp suite goes way over my head. 

How do you use subj=command?  I haven't done that before. 

Looking forward to seeing CornellWeasel's method, too.

[Angry Johnny]

http://www.facebook.com/photos.php?subj=XXXXXXXX where xxxxxxx is the id of the person who you want to see.

[rb9398]

that code doesn't allow you to see the actual photos though huh?

[roxyb]

http://www.facebook.com/photos.php?subj=XXXXXXXX where xxxxxxx is the id of the person who you want to see.

Thanks!