Dec. 17, 2009

Posted by in Facebook | 16 comments

Easily View Hidden Facebook Photo Albums

Update

I’ve now posted a new way to view hidden Facebook photos, and the updated code provides access to all available albums. Please see the post “New Trick to View Hidden Facebook Photos and Tabs” for further information and to update your bookmark.

Original Post

In a previous post, I noted that Facebook had removed access to photo albums for any user not your friend. Soon after Facebook rolled out new privacy controls, some users noticed that they could view anyone’s photo albums marked visible to “everyone,” most notably a few from Facebook’s founder, Mark Zuckerberg. Soon after those reports, however, it appeared that the albums were no longer available, as “Photos” tabs disappeared from public profiles and visiting photos.php simply gave an error message.

But as I described, access had not been cut off – Facebook had simply made the albums harder to find. This practice, known as security through obscurity, can mislead users who think their hidden content is safe from prying eyes. To prove my point, I gave directions on how to load the public photo albums of any given Facebook user.

Those directions were a bit technical, however, and I wanted to make the point more obvious. After working through more Facebook code, I came up with a bookmarklet (a bit of JavaScript you can store as a bookmark in your browser) for viewing public photo albums. Bookmark this link, or copy the code below. (Tested in recent versions of Opera, Firefox, and Chrome.)

javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)');document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(‘POST’,'http://www.facebook.com/ajax/profile/tab.php’,true);x.send(‘id=’+ProfileURIController._profileId+’&v=photos&__a=1′);})()

Once you’ve saved the link, simply visit someone’s public Facebook profile, then load the bookmarklet. It will replace the body of the user’s profile with a list of links to public albums, if any are available. The results are not formatted well, and only include the first page of albums, but the code works enough to at least demonstrate that public albums are not as well-hidden as you might expect.

I’ve browsed through some random profiles, as well as some more prominent Facebook users, and I think many would be surprised by how many photos I was able to access through this trick. Note that this code does not circumvent privacy settings in any way – it simply makes visible albums you can rightfully access but that Facebook has hidden from view otherwise.

At some point, users who have followed default album settings in the past and left many photos accessible to “everyone” are in for a shock when they realize the implications of those choices. I personally think it best for them to realize that now instead of later, which is why I decided to release this technique.

  1. Well, I’ve noticed something interesting related to this.

    Yesterday afternoon, I noticed that the ‘Photos’ tab was still available on profiles of people I am not friends with. I will assume they have never made changes to the privacy settings and that their albums are marked ‘Everyone’.

    Last night, 5 hours later, the ‘Photos’ tab was gone. I also noticed some people tweeting or commenting on Facebook’s blog about the privacy controls for each status update going ‘missing’ (the little lock icon). My theory was that they were again making changes due to the complaint filed against them.

    This morning, once again, I am able to view the ‘Photos’ tab. I’m not sure what is going on. Admittedly the issue may be on my side, because even tho I was logged in, some things weren’t working and I had to re-login this morning. So the alternate theory is that my session somehow got messed up and things stopped working correctly for me sometime last night and this morning it just forced me to authenticate again.

    So, first – what’s going on with Facebook?

    And second, do you need the bookmarklet as well or are you also able to view the regular ‘Photos’ tab on people’s profiles and see nearly all their photo albums? Because that’s what I’m seeing right now.

  2. @nickhacks: When I view the profile of someone I’m not friends with (e.g. Mark Zuckerberg), I do not see any Photos tab. That’s been the case since I heard about the story of Zuckerberg’s public albums, and from comments I’ve seen online, I’m not the only one. Also, clicking the link in a public album to “Go back to Mark’s photos” does not bring up an album list.

    Are you sure you’ve checked profiles of people who are not friends of friends or in the same network as you? I built the bookmarklet since I didn’t see any Photos tab, and I’m still not seeing one now.

  3. ah, think you’re right. It must be my mistake. Seems like only ‘Friends of Friends’ are the ones whose Photos tab I can see.

    Nice job on the bookmarklet tho!

  4. Wow. Sweet and scary…

    Can you only view the first page of albums using this technique?
    Is there a way to modify that link to display the second page of albums?

  5. Wow thats a bit scary! I just noticed that this was possible though i think you can only see the first few albums of photos anyway, it wont let you go to page 3 (for example) but still….!!

  6. Jane and Wow: I haven’t yet found a way using this particular trick to view more than the first page of albums, but they’re definitely accessible. In a previous post, I outlined a more technical method that does allow you to display the other pages of albums.

  7. ScorpionSX says:

    Hi, this is very nice trick,thanks a lot, it really worked for me, unfortunately, now, there are not that many people with their albums set to public, they probably went through the security settings and set their albums as hidden.
    But, is there any update on how to view another albums/pics? Even maybe those which are accessible only for friends of that person?

  8. It works! thanks man!

  9. how do u bookmark the link? when I click on it nothnig hapapens

  10. Does it only allow to see the first 3 ?

  11. FacebookHater says:

    @harmonyguy: It’s easy to get the following pages of galleries. You just add the sb=… parameter. What is important is that it has to be submitted via GET not POST. In other words you have to adjust the JS for it. For the second page it would look like

    javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)’);document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(‘POST’,’http://www.facebook.com/ajax/profile/tab.php?sb=5’,true);x.send(‘id=’+ProfileURIController._profileId+’&v=photos&__a=1′);})()

  12. @FacebookHater: I’m not sure why I didn’t think to adapt this bookmarklet with a GET request, as I’d previously discussed the “sb” parameter… I think I may have had some trouble getting to work previously, but oh well. Excellent tip, but in my testing the JS still needs a bit more adaptation, like so:

    javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)');document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(‘GET’,’http://www.facebook.com/ajax/profile/tab.php?id='+ProfileURIController._profileId+'&v=photos&__a=1&sb=5',true);x.send();})()

    That one worked for me, and obviously one would simply increment the “sb” value for more albums.

    @Tom: You need to right-click the link to bookmark it.

    @ScorpionSX: If I had a way to override Facebook’s privacy settings, I wouldn’t simply publish it on my blog. :)

  13. Ok, works for one page, that is 5 albums. But those latest two codes do not work for me. Am I doing it right by clicking on “properties” of the bookmarked, then under “location” exchange the code with:

    javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(‘(‘+q+’)’);document.getElementById(‘tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(“MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(‘GET’,’http://www.facebook.com/ajax/profile/tab.php?id=’+ProfileURIController._profileId+’&v=photos&__a=1&sb=5′,true);x.send();})()

    I don’t understand Java Script well.

  14. @anonim Now that you mention it, I can’t get my updated code to work either! I’m remembering now some of the issues I encountered when I first worked on this and why I didn’t include a way to load the other pages… they definitely can be loaded, it’ll just take a little more work for me to put it together in a nice bookmarklet.

  15. Anyway, thanks for the first trick. I’ll step by and check if its been solved. I unfortunately can’t help as this scripting is not something I’m good at.

  16. Thanks for this brilliant post! I hope you get that new code working for the other pages.

    This code only seems to work if someones photo settings are set to ”friends of friends” or something like that. So I was thinking, if this code is able to break through some of the facebook’s privacy, wouldn’t it be possible to create a code that could see all photos even if they’re set to ”only friends”?

    I’m not familiar with javascript but i’m sure you can find a way!!

Trackbacks/Pingbacks

  1. Tweets that mention Easily View Hidden Facebook Photo Albums | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy, theharmonyguy. theharmonyguy said: theharmonyguy New Post: Easily View Hidden Facebook Photo ...
  2. Hack foto pubbliche nei profili Facebook | Nicola Moretti - Hanicker IT Blog - [...] Tratto da: theharmonyguy.com [...]