Summary

Facebook allows certain users to set their Facebook profile to be "locked". This means other users are not able to view their full profile picture / cover photo, posts etc unless they are friends with this person. More information about locked accounts can be found here

One feature of a locked profile is the Facebook app will automatically disable other users from taking screenshots of these "locked" profiles. This feature is redundant as it can be circumvented by launching the Facebook app and forcing it to load the profile inside a webview instead of the normal "profile" activity.

Impact

• Security features that have been implemented around locked profiles are circumvented through the Facebook app by using the webview component

Reproduction

It should be noted that this post refers to an issue that was dismissed by the Facebook security team. This issue is still reproducible.

To see this oversight in action paste in a "locked" profile and click the go button. You will be redirected to the Facebook app with the users account loaded in a webview. From here you can take a screenshot

Go

Timeline

• 27 Jan 2021 - Reported to Facebook
• 29 Jan 2021 - Closed as informative

Response From Facebook Security Team

Thank you for your report. We don't view this notification as a security or privacy feature as there are multiple ways to bypass it, such as turning on airplane mode to screenshot. This is considered a best effort.

Thank you for sharing this information with us. Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.