Feb. 18, 2008

Posted by in Facebook | 3 comments

Facebook Contacts

Discovered an interesting little trick today, though not one I would classify as a hack or big security risk, though it’s a slight privacy hole.  After reading about an old method for accessing the friend list of a user logged into Facebook (Facebook has apparently fixed this one), I did some poking around.  To my surprise, I found another URL that lets you access the friend list of most Facebook users.

I say “most” because access does depend on the person’s privacy settings – if they have their friend list set to private, this URL won’t return any results.  But if not, you can easily get a JSON list of the names, profile addresses, and networks of a user’s friends.

Personally I don’t see this as much of an issue, since any registered Facebook user would already have access to this data.  But this trick does make it easier to download the list in a simple format, and the list could easily be inserted into a non-Facebook web page without any platform authentication.  I’ll let others judge the seriousness of this one, but leave the details out for now – contact me if you want them.

Update: When I saw that the URL was returning a friend list, I didn’t dig deeper… today I noticed that the URL also lists the applications that a user has installed and the pages of which the user is a fan.  Fans are listed on a page, so this once again doesn’t disclose new information there, but it makes it far easier to access.  With applications things are a little different, as an application page only tells you which friends of yours have added the application – and regardless, the information is once again far more accessible with this technique.  I’m now notifying Facebook of this issue.

  1. Hello,
    I am building my own music social network, and it should be up and running within 2 days from now.
    Can you help me by checking the security of my social network? I would really appreciate it.

    Waiting for your reply via email. :)

  2. Could you contact me with this info?

  3. Are you talking to me Adam? :)

Leave a Reply