The first URL gives a HTTP 302 (temporary redirect) to the second. So, to find the second URL programatically, you could issue a HTTP request for the first URL and get the Location header of the response.
That said, don’t rely on the second URL being pemanent. Reading a little in to the HTTP response code (of 302 as opposed to a permanent 301), it is possible Facebook changes those URLs on a regular basis to prevent people from—for example—using their servers to host images.
Edit: Notice that the CDN URL the OP posted is now a 404, so we know that we cannot rely on the URL being long-lived. Also, if you’re linking to the Graph API from an <img> on a SSL-secured page, there’s a parameter you have to add make sure you use https://graph.facebook.com.
Update: The API has added a parameter – redirect=false – which causes JSON to be returned rather than a redirect. The retruned JSON includes the CDN URL:
{
"data": {
"url": "http://profile.ak.fbcdn.net/...",
"is_silhouette": false
}
}
Again, I wouldn’t rely on this CDN URL being long-lived. The JSON response is sent with permissive CORS headers, so you’re free to do this client-side with XHR requests.