Jul. 15, 2008

Posted by in Facebook | 2 comments

Quick Update on Top Friends

If you’ve been keeping up with Facebook development news, you’ve no doubt heard about the Top Friends application getting banned.  In the past I’d pointed out that you could access application data about other users, but that was before Slide created quasi-profile pages within the application.  These exposed not only application data but actual profile data, such as birthday and relationship status.

Since Top Friends is back online now, I decided to test it out again.  While I couldn’t get to any profile data for non-friends, I could still access all the application data as before, i.e. a person’s top friends, who lists them as a top friend, their SuperPoke feed, etc.  Most of the data coming from the person’s actual Facebook profile is simply listed as “not specified,” so this is not a repeat of the most recent hole.  It requires a little more trickery with the new setup, but still isn’t that hard.  And it once again proves my point that most application data is not secure.

By the way, if anyone has more technical info on the hole that took Top Friends down, I would be quite interested.  As with Social Banners, I’m still trying to figure out how exactly Slide access profile data for users that were not a person’s friend.  All my experience with Facebook API calls shows that they require certain credentials tied to a current user’s session, so requests for a stranger’s birthday would return nil.  The only other option I can think of a the moment is storing the data, which would be rather stupid on Slide’s part.  Maybe I just haven’t had enough Mountain Dew today, but I’m still a bit mystified by this one.

As usual, if you don’t believe me on this, just drop me a line – I can either send technical details or you can challenge me to access your top friends.  I used to be more reserved about hacks like this, but they come up so often and are so rarely/sporadically patched that I’m thinking I’ll just start posting code outright.

  1. Are you serious? I thought Top Friends is back and secure (at least thats what I read on Allfacebook)

  2. Top Friends no longer exposes data from your actual Facebook profile, such as birthday or relationship status. One can still access data generated by and within the context of the application (and associated applications), such as who your top friends are or who lists you as a top friend.

Leave a Reply