Mar. 15, 2010

Posted by in Facebook | 81 comments

New Trick to View Hidden Facebook Photos and Tabs

Last December, I posted a bit of JavaScript known as a bookmarklet that allowed you to see photo albums for any Facebook user if the album privacy settings allowed it. This highlighted an example of “security through obscurity,” since the lack of links to photos on most profiles seemed to indicate no photos could be viewed. The trick worked as advertised, though it only displayed a few albums for those who had many.

The code came from my own experiments on accessing the hidden photos. It worked quite manually, retrieving data from a particular Facebook interface and stuffing it into the current page. I figured a more elegant solution could be found by re-using the code already embedded in the page, but I had not been able to sort out all of the built-in functions.

Last night and this morning, I found what I’d been missing before, and I now present a far simpler version that gives full access to all available albums of a given user. Simply bookmark this link (right-click and choose to add a bookmark) and click the bookmark when viewing someone’s profile on Facebook.

Once again, please note that this does not in any way circumvent a user’s privacy settings. If you mark your albums as visible only to your friends, this trick will not override that setting. I do not currently know of a way to access private photo albums, and if I did find one, I would report it to Facebook. My purpose in posting this code is to prove a point, not break into users’ accounts.

Here is the new source code:

javascript:(function(){CSS.removeClass(document.body, ‘profile_two_columns’);tab_controller.changePage(“photos”);})()

As I said, much simpler! I only had to find the right commands.

But the story doesn’t end there. This new method can be very easily adapted to load other information from a user’s profile, and the new possibilities raise more privacy ramifications. Once again, the trick does not actually override any settings, but it may break some user expectations and highlight the importance of overlooked or unknown settings.

The new behavior is that once can use similar code to access the canvas pages of applications the user has interacted with, as if the user had added the application as a tab on their profile. This includes the “Boxes” tab for users who have it. From what I understand, visibility of this tab page comes from the “Privacy” box under “Edit Settings” next to each application listed in a user’s Application Settings. Such controls have often been overlooked, particularly because they may not have seemed very relevant in the past. While many users stay aware of the privacy settings on their photos and wall posts, they may not think about the content they generate in the context of applications. Often, that content has little if any privacy controls applied.

Typically, any information available on an application tab is also available through the application itself, but this technique makes it far easier to find. However, it also raises some disturbing possibilities related to application data retention, and issue I’ve noted in the past but not seen discussed much elsewhere. For example, quite a while ago (as in months to years), I used the Pieces of Flair application with my personal Facebook account, arranging various buttons on my virtual corkboard. Eventually I pared down the number of applications I had authorized, and Pieces of Flair was one I uninstalled a number of months ago. Today, however, if you use the sort of bookmarklet posted above to check my Facebook profile for a Pieces of Flair tab page, you’ll see all my virtual buttons once again.

Facebook does notify applications when a user uninstalls them, but it’s up to the developer to actually do something about the data left behind. Apparently Pieces of Flair does nothing with the data, meaning a user has to manually delete their flair before removing the application if they want to truly get rid of the content they generated. Based on my experience, many applications behave in a similar fashion. Some may argue that this behavior is similar to Facebook “deactivating” an account, but at what point should the content expire, and how many applications offer a full deletion? Such issues become matters of retention policies, and based on my past studies of whether applications even had a privacy policy, I would guess that most applications do not currently have such terms.

All of this once again highlights the current complexity of data and privacy on the Facebook Platform. Granted, dealing with third-party applications is not a simple problem to solve, and I’m not simply criticizing Facebook for failing to build a perfect system. But these issues can very easily lead to unpleasant surprises for end users, and at some point someone will have to sort them out.

  1. And roxanne, thanks for the tip.

  2. I think I caught it mid-fix around 7:00 pm (PST)… must’ve been the 2nd shift. It worked once then it stopped working. Oh well, it was useful while it lasted.

  3. Impressed says:

    Put up a new code!

  4. It amuses me that some commenters obviously didn’t bother to check what this site is even about. FYI @all, right up there he says: “I do not currently know of a way to access private photo albums, and if I did find one, I would report it to Facebook.” Get it now?

    @Impressed, even if this were the kind of site you appear to think it is, I doubt anyone would want to help you out with that attitude.

  5. Impressed says:

    @Snow, I get a weird vibe that you’re stalking me.

  6. Impressed says:

    @Snow, why are you even here or how did you find this site? To get the code! “the harmony guy” himself knows this and conveniently promoted his twitter account and blogs on the side. The code itself is being passed around like hot cakes on the net, so I said what everyone else was thinking and wanted.

  7. @Impressed, I don’t even know who you are, how and why would I stalk you? That’s such an odd thing to say, I’m flabbergasted.

    Anyway, I merely pointed out that coming across as demanding may not be the best way to ask for something. I’m sorry if that offended you.

    And with that I shall withdraw from this post.

  8. Impressed says:

    Hi this is directed right at “the harmony guy”. Even though you aren’t breaking any laws aren’t you still afraid to attract shady characters, stalkers, invaders of privacy or at the least FBI, Royal Mounted Police etc. No matter what type of energy positive or negative that is put out there are always pursuers. Hope to hear from you. peace

  9. needsupdating says:

    This bookmark no longer works…..can you provide a new one??

  10. I guess it doesn’t work anymore?
    Can’t get it to work now

  11. A f´n stick in their f+n a+s holes says:

    Man, it has worked just marvelous while it last….i saved alot of waht i want in no time, s´t is screwed and not working anymore, creative and open minds outhere please help us out again!!

    Best of Luck!!

  12. hello there !
    i just want to ask on how to delete my photos in my friends faceebook account . i cant open his account and i hate it when he post my pictures.
    can u help me with that ?!

  13. the count says:

    The trick seems to still work in at least some cases. In fact, I find it still seems to work in almost all cases I’ve tried and only in a tiny few has it stopped working.

    And it’s not that those few are cases where the user changed their privacy, since I can still see albums using the aid directly (http://www.facebook.com/album.php?aid=xxxx&id=xxxxxxxx) which lets me click through to the photos. So the photos and albums retain the same privacy setting.

    Perhaps the change is being “rolled out” to different users at different times? A few months back when everyone was whining about the latest interface change, it took several WEEKS before I got the changed interface. Indeed it seemed like I was the last person on Facebook to get the change applied to my account!

  14. the link doesn’t work anymore but I think I’ve found a workaround. I see Mark Zuckerberg albums :)

  15. Ivano, do you mind sharing the workaround with us?
    appreciate

  16. I would like the new “workaround” as well. If you don’t mind sharing. Thanks =)

  17. Now its not working ??

  18. I think that you can still access all the public albums of a person by looking at the photo comments:

    http://www.facebook.com/photo_comments.php?id=

  19. Don’t work… Exist some new method?

  20. i tried this latest code you posted..it doesnt work anymore..i hope there will be a new one soon, new code to view the photos. thanks..

  21. private ones,i mean.. :p

  22. johnny doe says:

    @ Ivano

    I think from today think this doesn’t work anymore:

    >I think that you can still access all the public albums of a >person by looking at the photo comments:

    >http://www.facebook.com/photo_comments.php?id=

    :(((

  23. @Ivano
    Was working since new interface up til yesterday… what a shame

  24. Hi there, any plans to update the code? Thank you!

  25. Hi The Harmony Guy- Do you have plans to update the code to allow us to view public albums? Also, do you have any comments on the view comments link that was posted above, that no longer works? Thank you- JT.

  26. Look..the only way to view someones photos is to add them as a friend unless you work for some type of law enforcement.

  27. In order to view private albums, best way is getting full access to the profile. It is actually easy if you stop trying to get your target friendship and focus on his/her friends. Why don’t we view our target profile logged as a friend he/she already has accepted? This idea is full explained in
    http://www.giraa2.com/2010/05/acceso-total-un-facebook-privado.html
    (in spanish, but you can use google translator)

  28. twangar says:

    … well i was reading thru the posts… something clicked my mind .. i tried the java code in the initial post , and one thing i m really interested in is that… there is a public link to view photos for any one on fb… that link remains constant for any album, So IF somehow we could tap into that , it wud enable us to view any album , right ?

  29. Facey dude says:

    does anyone know some java script that might enable my settings to make my video page the front page of my facebook?

  30. guys ..anyone able to access anyway the album these days ..?

  31. Toe2thaknee says:

    haha this is hilarious, probably all random people that googled this

Trackbacks/Pingbacks

  1. Easily View Hidden Facebook Photo Albums | Social Hacking - [...] photos, and the updated code provides access to all available albums. Please see the post “New Trick to View ...
  2. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: New Trick to View ...
  3. Nuova tecnica per vedere foto private e tab nascoste in Facebook | Spiamo.com - [...] ricercatore descrive in un post intitolato New Trick to View Hidden Facebook Photos and Tabs la tecnica da lui ...
  4. ………..und der Admin hyperventilierte » Blog Archive » 10 der besten, interessantesten, wichtigsten und unterhaltsamsten Artikel aus der Security-Branche. - [...] New Trick to View Hidden Facebook Photos and Tabs [...]
  5. How Facebook is Adding an Identity Layer to the Internet | Social Hacking - [...] has worked hard to maintain user trust, even making some content appear to be more private than it actually ...
  6. Facebook privacy hack, see hidden photos of facebook user | Monirul Islam - [...] Well, I personally did not discover the code we are using here. If you want to main post regarding ...
  7. Facebook is a privacy nightmare - Jonathan Rawle's Website - [...] social networking privacy site Social Hacking has an article containing a Javascript bookmarklet that allows people to see all ...
  8. View Facebook Private Photos/Album | CrazyDavinci's Blog | Social Networking - Programming - Networking - Security - [...] Source : http://theharmonyguy.com/2010/03/15/new-trick-to-view-hidden-facebook-photos-and-tabs/ [...]
  9. Trick to View Hidden Facebook Photos and Tabs | Appacebook - [...] a far simpler version that gives full access to all available albums of a given user. Simply bookmark this ...
  10. RealTime - Questions: "Help me please about javascript odd or even code please!!!!please!!!!?" - [...] Navigation Using jQuery | Nettuts+ Selenium - Is it worth the pain? - Atlassian Developer Blog New Trick ...
  11. Afterward» Blog Archive » Finding hidden pictures - [...] New Trick to View Hidden Facebook Photos and Tabs | Social Hacking Mar 15, 2010 … New Trick to ...
  12. Hidden photos | Completehmsolu - [...] New Trick to View Hidden Facebook Photos and Tabs | Social HackingMar 15, 2010 … The code came from ...