Posted by theharmonyguy in Facebook | 18 comments
Easily View Hidden Facebook Friend Lists
Amid all the festivities of the Christmas season, the time off from other responsibilities has given me some more time to pursue one of my hobbies: hacking. (Or at least trying to hack – much of what I do would probably not be considered true “hacking” by many.)
Lately I’ve demonstrated how various data on Facebook, such as photo albums and events, can be accessed by anyone when most users would probably think otherwise. You can now add friend lists to that category of data.
You may recall that when Facebook rolled out their new privacy settings, many analysts complained about the list of who a user had “friended” becoming part of what Facebook classified as Publicly Available Information. In response, Facebook added a setting to remove the lists from a user’s profile, a move that seemed to quell some of the criticism.
But Facebook also made one point clear about friend lists: “This information is still publicly available, however, and can be accessed by applications” (Source: CNET). Since Facebook still considers friend lists to be PAI, I do not consider the details I’m about to publish a vulnerability and therefore feel free to disclose them.
Replace USERID in the following URI with a Facebook user’s ID number (e.g. Mark Zuckerberg’s is 4) and load the URI: http://www.facebook.com/ajax/typeahead_friends.php?u=USERID&__a=1 You’ll see a chunk of JSON that includes a list of the user’s friends, including names and profile links. The list is sorted by friends’ ID numbers. By the way, you don’t even need to be logged into Facebook for this trick to work. (Interestingly enough, I had come across a similar technique years ago, forwarded details to Facebook, then forgot about it; I wonder if this would have worked even prior to the new privacy controls.)
Once again, if you’re using Facebook, make sure you understand what information is available to everyone. (And have a merry Christmas! :)
Trackbacks/Pingbacks
- Tweets that mention Easily View Hidden Facebook Friend Lists | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by Melissa and theharmonyguy, topsy_top20k. topsy_top20k said: New Post: Easily View Hidden Facebook ...
- uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: Easily View Hidden Facebook ...
- Facebook’s Fluid Definition of Publicly Available Information | Social Hacking - [...] wasn’t long before someone discovered a “means to do so.” In December, I posted a simple trick that would ...
- Social Media Security » Facebook’s Fluid Definition of Publicly Available Information - [...] course, it wasn’t long before someone discovered a “means to do so.” In December, I posted a simple trick ...
dude u’ve inspired me and guess what?
i’m in this…and i just knew this “there’s NO privacy With Netlog.com”
i knew this u harmony guy will drag us to the jail
adios amigo
ozzy Greene
Hi,
Here’s what my little tests showed when I try http://www.facebook.com/ajax/typeahead_friends.php?u=USERID&__a=0
unauthenticated session: the resultset is empty for users that have hidden their friend list and users that have not migrated yet, but is accessible for users that haven’t done so.
authenticated session: resultset is empty for users that have not migrated yet, but is accessible for all users that have done so, regardless whether they have hidden their friend list or not.
So even after you have migrated, hiding your friend list does give you some protection against unauthenticated scraping.
You would have protection against authenticated scraping on the condition that Facebook monitors for an excessive number of requests coming from one userID.
@Pascal: Thanks for the further testing. I operated off the assumption that all users will eventually migrate, so I didn’t take migration into account.
Also, I mentioned in my post that the trick works even when not logged in. From what I’ve found in further testing, it appears that whether the trick works for an unauthenticated session depends on whether the user has a public profile, not the privacy of their friend list. For instance, http://www.facebook.com/ajax/typeahead_friends.php?u=4&__a=1 brings up Mark Zuckerberg’s friend list regardless of whether you’re logged in, but http://www.facebook.com/ajax/typeahead_friends.php?u=4617&__a=1 only brings up Randi Zuckerberg’s friend list if you’re logged in. Both have their friend lists hidden on their profile, but Randi has her public profile disabled.
how do you find a Facebook user;s ID number?
IT doesnt work
It doesn’t work anymore!
No it does!
Thank you very much
not working.. ya… :/
It Not Working Now
for (;;);{“__ar”:1,”payload”:{“friends”:[]}}
having problem wit invisible members on my facebook groups, facbook shuld do sumtin b4 dey tarnish its image
And get updated post
Hi !
It is possible to see hidden friends manually…
http://rahmankdkl.blogspot.com/2011/11/guide-to-see-hidden-friends-list.html
Thanks!
it says >>
for (;;);{“__ar”:1,”payload”:{“friends”:[]}}
wen i tried this id>> 148844738542013
kindly help me out plzz!
for (;;);{“__ar”:1,”payload”:{“friends”:[]}}
this comes up :(
Not working…plz help
It opens up my own friends list!!!