Mar. 15, 2010

Posted by in Facebook | 81 comments

New Trick to View Hidden Facebook Photos and Tabs

Last December, I posted a bit of JavaScript known as a bookmarklet that allowed you to see photo albums for any Facebook user if the album privacy settings allowed it. This highlighted an example of “security through obscurity,” since the lack of links to photos on most profiles seemed to indicate no photos could be viewed. The trick worked as advertised, though it only displayed a few albums for those who had many.

The code came from my own experiments on accessing the hidden photos. It worked quite manually, retrieving data from a particular Facebook interface and stuffing it into the current page. I figured a more elegant solution could be found by re-using the code already embedded in the page, but I had not been able to sort out all of the built-in functions.

Last night and this morning, I found what I’d been missing before, and I now present a far simpler version that gives full access to all available albums of a given user. Simply bookmark this link (right-click and choose to add a bookmark) and click the bookmark when viewing someone’s profile on Facebook.

Once again, please note that this does not in any way circumvent a user’s privacy settings. If you mark your albums as visible only to your friends, this trick will not override that setting. I do not currently know of a way to access private photo albums, and if I did find one, I would report it to Facebook. My purpose in posting this code is to prove a point, not break into users’ accounts.

Here is the new source code:

javascript:(function(){CSS.removeClass(document.body, ‘profile_two_columns’);tab_controller.changePage(“photos”);})()

As I said, much simpler! I only had to find the right commands.

But the story doesn’t end there. This new method can be very easily adapted to load other information from a user’s profile, and the new possibilities raise more privacy ramifications. Once again, the trick does not actually override any settings, but it may break some user expectations and highlight the importance of overlooked or unknown settings.

The new behavior is that once can use similar code to access the canvas pages of applications the user has interacted with, as if the user had added the application as a tab on their profile. This includes the “Boxes” tab for users who have it. From what I understand, visibility of this tab page comes from the “Privacy” box under “Edit Settings” next to each application listed in a user’s Application Settings. Such controls have often been overlooked, particularly because they may not have seemed very relevant in the past. While many users stay aware of the privacy settings on their photos and wall posts, they may not think about the content they generate in the context of applications. Often, that content has little if any privacy controls applied.

Typically, any information available on an application tab is also available through the application itself, but this technique makes it far easier to find. However, it also raises some disturbing possibilities related to application data retention, and issue I’ve noted in the past but not seen discussed much elsewhere. For example, quite a while ago (as in months to years), I used the Pieces of Flair application with my personal Facebook account, arranging various buttons on my virtual corkboard. Eventually I pared down the number of applications I had authorized, and Pieces of Flair was one I uninstalled a number of months ago. Today, however, if you use the sort of bookmarklet posted above to check my Facebook profile for a Pieces of Flair tab page, you’ll see all my virtual buttons once again.

Facebook does notify applications when a user uninstalls them, but it’s up to the developer to actually do something about the data left behind. Apparently Pieces of Flair does nothing with the data, meaning a user has to manually delete their flair before removing the application if they want to truly get rid of the content they generated. Based on my experience, many applications behave in a similar fashion. Some may argue that this behavior is similar to Facebook “deactivating” an account, but at what point should the content expire, and how many applications offer a full deletion? Such issues become matters of retention policies, and based on my past studies of whether applications even had a privacy policy, I would guess that most applications do not currently have such terms.

All of this once again highlights the current complexity of data and privacy on the Facebook Platform. Granted, dealing with third-party applications is not a simple problem to solve, and I’m not simply criticizing Facebook for failing to build a perfect system. But these issues can very easily lead to unpleasant surprises for end users, and at some point someone will have to sort them out.

  1. the count says:

    Wow, nice. Now to test this with my own account so I can modify my privacy settings appropriately! :O

  2. the count says:

    tab changePage value

    wall wall
    info info
    photos photos
    boxes box_3
    links app_2309869772
    events app_2344061033
    notes app_2347471856
    video app_2392950137

    Works like a charm :(

  3. nice…it works..

  4. Hi,

    pasting the url in the address bar of firefox on the profile page of Facebook is not working; I get this error message in the Error console:

    Error: tab_controller is not defined
    Source File: javascript:(function(){CSS.removeClass(document.body,%20′profile_two_columns’);tab_controller.changePage(“photos”);})()
    Line: 1

  5. @gildo: Are you logged in to Facebook? If you’re only viewing a person’s public search page, that would certainly explain why tab_controller isn’t defined. If you are logged in, you could try changing tab_controller to profile_tab_controller. I’ve tested the code successfully in Firefox 3.6.

  6. @theharmonyguy: it works thank you. Do you know this facebook app:

    http://apps.facebook.com/infoplus/

  7. How to navigate beyond first page of photo albums?

  8. @Matt: Are you using the new code or the old link? The interface should be identical to browsing photos for a user you’re friends with. If you don’t see links for more than one page, the user you’re viewing doesn’t have more than one page of albums available to you.

    @gildo: I’d not seen that app before, but in just some quick checking it didn’t seem to work very well. It looked like they might be trying to exploit the API to load other users’ public albums, but Facebook closed that loophole.

  9. @Matt: Ah, I see what you’re talking about. Do you have JavaScript enabled? The links do have an href parameter defined, but when you click them they should update the page without forwarding you to a new URI. If the links are forwarding you, something’s preventing the onclick event from firing.

  10. Yes, it works now, thanks for help.

  11. You can also put “posts” in to see users… well, posts

  12. i don’t understand how to make it works…can someone explain me??

  13. I got it to work with the photos, but can someone explain for us dummies how to get the rest going?

  14. I can get the photos to work, but if I try “wall wall” or anything else (I take it we’re just changing “photo” to “wall wall”, etc?) it goes to an “info” tabs and just loads forever and never comes up with anything.

  15. Excelent! any way to see past the first 4 albums?

    thnx

  16. please guys, I’m Italian and I have not figured out what to do, what ve i to do with this code? where have I put this code? what kind of brosware have i to use? i don’t understand nothing

  17. When I enter the code, the page will switch to the person’s tagged photos, but the hidden photos cant be viewed. It’s like nothing happened and I just clicked the photos tab. :|

  18. For those having trouble getting this working: You can use this in any browser. Simply right-click the link that says “bookmark this link” and a menu will pop up. Choose the option for saving as a bookmark or favorite, and give the bookmark a name you’ll remember. Now visit someone’s Facebook profile, and while you have that page up, go to your bookmarks menu or folder and click the bookmark you created.

    For more advanced users: As “the count” pointed out, you can access info from other apps by replacing “photos” in the source code with other strings.

    For those not seeing content: Keep in mind this will only show you content you have permission to access. If you can already click someone’s photos tab and don’t see anything, this trick won’t expose any new photos. If you don’t see any content load for an app, the user doesn’t have any content whose privacy settings make it visible to you. If you only see one page of albums, those are the only albums you can access for that user. This trick does not override access controls – it overrides the default visibility controls. And don’t bother asking for a trick to override permissions on photo albums, as I wouldn’t post such code publicly.

  19. MYSELF IS ANGRY! says:

    no. sorry i don’t really understand, can you give me ur account msn or somethin else.. becuase its quite hard i saved the profile in a bookmark but i still don’t und tell me plz

  20. I get the photos, but when I do anything it just loads eternally. Does it take a really long time to come up? It acts like its coming (ones that don’t have wallposts visible, for example, say “so and so has no recent posts) but for many it just loads and loads. Is there something with that? I’m just typing in that code into my broswer and replacing “photos” with “posts”, “wall wall”, etc… that’s all it is, right?

  21. the count says:

    eric, I noticed on certain tabs it looks like it is loading forever and I finally concluded that that tab does not exist for that user. Certainly there’s no content for that tab regardless. theharmonyguy might have better insight into the details of it, but the end result will be the same: nothing for you to see there.

  22. @eric: Usually eternal loading indicates the code you’ve used is not a valid one. Note that “the count”‘s list is two-column – only the righthand side is what you enter, so trying “wall wall” will definitely not work. “the count”, you are correct that no content will load at times, particularly with applications. What you see depends on several factors.

    @Myself is Angry: I’m sorry, but I’m not going to start providing detailed technical support on this post. Besides, much of my posts are intended to educate or raise awareness among developers and security researchers, but I’m guessing you’re probably trying to attempt some “hack” that will likely not succeed using this technique anyway.

  23. hello guys, hello for TheHarmonyGuy

    how can i see a photos and the wall of a hidden facebook profile, that has a complicated privacy, from the subject i thought that even this facebook profile has this privacy lock for all users, i can see them.
    is there any trick or method that i can view all photos and wall for a hidden facebook profile that has privacy settings ebabled.

    thank you all,

  24. So much helpful information ! its really good. Thanks for sharing.

  25. the count says:

    Diver, if there is such a way to do what you want, theharmonyguy wouldn’t reveal it here. He is only showing how to view things which the privacy settings allow you to see anyways (but which might not be otherwise obvious how to go about seeing them for any of a variety of reasons).

  26. Really works! Good
    Thanx for sharing

  27. hi
    but i dont knw whr to put this code n how to make it work…….plz can some one help me ASAP.
    thnx

  28. thx. it worked! But the wall feture does’nt . is there any way to view private TAGGED photoes?

  29. Thank you for post. Great tips, tricks is javascript soul.

  30. thanks for the effort, but it does not help when the person has set privacy to only friends and this is what people would like view, atleast me. I keep getting “no recent posts” when i change it to posts or wall. How to get over this? is there a solution or not solution at all???

    Thanks.

  31. I asked you a few weeks ago how to see the “next albums”, i see you succeeded. YOU RULE.

  32. @steph: lol, thank you. And thanks for the push to update it.

    @Josh: No ethical solution at all. If you’re looking for unethical solutions, you’re on the wrong site.

  33. for some reason this isn’t working for me, i’m in firefox 3.6 it sends me to a page that tells me to add this or share this on my profile, when i go to use the application it sends me right back to this page? can anyone help me out?

  34. It stopped working today, had been working just fine till yesterday, apparently FB changed code (it’s redirecting to “wall” tab).
    It’s been awesome anyway, thanks dude

  35. @fmf: Still working over here…

  36. Move all content from a facebook fans page and twitter page onto a new account.

  37. soyye_maldives says:

    i tried and it works well, just open the desired profile and paste the script in the address bar and press enter…there you go! all the photos will be displayed for u!!

  38. How about tagged photos?how to view them?

  39. That’s doesn’t work :(

  40. So much helpful information thx for the post ..i hope u show as much better information for more javascript and thx a lot

  41. Does someone want to help me step by step on how this works?
    I would like to learn this as well.
    Please help me.
    Thanks

  42. Hiya!
    Thanks for this trick. You did a good job :)
    I wanted to ask you if it was possible to see photos where people have been tagged in. For example, I have a friend, it’s marked 26 photos under his profile but when I go to his album he only got 12. Is there any trick to see the tagged photos?

    Thanks a lot xxx

  43. Hey!

    Thanks a lot!
    Does this work with tagged photos?

  44. Why does it work for some profiles and not all?

  45. Hey!
    Good trick!
    But does it also work with tagged photos?

  46. To everyone who’s asked about tagged photos: The trick does not override any of a user’s privacy settings, and Facebook provides such a setting for who can see the photos a user is tagged in. If you’re permitted to see tagged photos by that setting, you should see them when you use the trick. If you’re not permitted to see such photos and still want to, you’re at the wrong site.

  47. Impressed says:

    Hi “theharmonyguy” how are you, I greatful for your postings. You have a lot of valid and helpful point. Do you have your own site, or an e-mail I can contact you at? The Question I want to ask you is that there is someone I know who has a Facebook account, they have certain privacy setting so that they don’t show up in any search even if we have certain friends in common. This person is very specific as who they add and because they only know me thru others they won’t add me to their fb. Is there any other way to find them? I see that you sometimes answer to comments on this page so I will comeback to see if you can answer this. Thank you again!

  48. i think it’s not working anymore… =(

  49. Yep…. great little trick, but the folks at FB must follow this page as they plugged the hole this afternoon/evening. Worked fine this morning.

  50. Follow this page? I first posted a version of this trick last December. :) But I can confirm the trick is blocked now, and the change must have happened in the last few hours.

    Ironically enough, since the trick always followed a user’s privacy settings, Facebook is now even more inconsistent in applying them.

Trackbacks/Pingbacks

  1. Easily View Hidden Facebook Photo Albums | Social Hacking - [...] photos, and the updated code provides access to all available albums. Please see the post “New Trick to View ...
  2. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: New Post: New Trick to View ...
  3. Nuova tecnica per vedere foto private e tab nascoste in Facebook | Spiamo.com - [...] ricercatore descrive in un post intitolato New Trick to View Hidden Facebook Photos and Tabs la tecnica da lui ...
  4. ………..und der Admin hyperventilierte » Blog Archive » 10 der besten, interessantesten, wichtigsten und unterhaltsamsten Artikel aus der Security-Branche. - [...] New Trick to View Hidden Facebook Photos and Tabs [...]
  5. How Facebook is Adding an Identity Layer to the Internet | Social Hacking - [...] has worked hard to maintain user trust, even making some content appear to be more private than it actually ...
  6. Facebook privacy hack, see hidden photos of facebook user | Monirul Islam - [...] Well, I personally did not discover the code we are using here. If you want to main post regarding ...
  7. Facebook is a privacy nightmare - Jonathan Rawle's Website - [...] social networking privacy site Social Hacking has an article containing a Javascript bookmarklet that allows people to see all ...
  8. View Facebook Private Photos/Album | CrazyDavinci's Blog | Social Networking - Programming - Networking - Security - [...] Source : https://theharmonyguy.com/2010/03/15/new-trick-to-view-hidden-facebook-photos-and-tabs/ [...]
  9. Trick to View Hidden Facebook Photos and Tabs | Appacebook - [...] a far simpler version that gives full access to all available albums of a given user. Simply bookmark this ...
  10. RealTime - Questions: "Help me please about javascript odd or even code please!!!!please!!!!?" - [...] Navigation Using jQuery | Nettuts+ Selenium - Is it worth the pain? - Atlassian Developer Blog New Trick ...
  11. Afterward» Blog Archive » Finding hidden pictures - [...] New Trick to View Hidden Facebook Photos and Tabs | Social Hacking Mar 15, 2010 … New Trick to ...
  12. Hidden photos | Completehmsolu - [...] New Trick to View Hidden Facebook Photos and Tabs | Social HackingMar 15, 2010 … The code came from ...